chore(ci): update slab-github-runner action to v1.6.0

This action version now uses node24 as runner since node20 support is dropped on April 2026.
chore: add compressed xof key set backward to 1.5
2026-04-28 03:01:21 -04:00 · 2026-04-01 09:47:54 +02:00 · 2026-03-11 17:26:14 +01:00 · 2026-03-11 17:26:14 +01:00 · 2026-03-11 17:26:14 +01:00 · 2026-03-11 17:26:14 +01:00
1017 changed files with 29652 additions and 114726 deletions
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@@ -4,9 +4,6 @@ ignore = [
    "RUSTSEC-2024-0436",
    # Ignoring unmaintained 'bincode' crate. Getting rid of it would be too complex on the short term.
    "RUSTSEC-2025-0141",
-    # Ignoring unsoundness in 'rand' with custom logger. Rand update is currently blocked by
-    # arkworks and we do not use custom loggers.
-    "RUSTSEC-2026-0097",
 ]

 [output]
--- a/.github/actions/gpu_setup/action.yml
+++ b/.github/actions/gpu_setup/action.yml
@@ -23,16 +23,10 @@ runs:
        echo "${CMAKE_SCRIPT_SHA} cmake-${CMAKE_VERSION}-linux-x86_64.sh" > checksum
        sha256sum -c checksum
        sudo bash cmake-"${CMAKE_VERSION}"-linux-x86_64.sh --skip-license --prefix=/usr/ --exclude-subdir
-
-        # Disable unattended-upgrades to avoid lock issues
-        sudo systemctl mask --now unattended-upgrades
-        sudo systemctl stop --now unattended-upgrades
-
        sudo apt-get clean
        sudo rm -rf /var/lib/apt/lists/*
-        sudo apt purge -y unattended-upgrades
-
        sudo apt update
+        sudo apt remove -y unattended-upgrades
        sudo apt install -y cmake-format libclang-dev
      env:
        CMAKE_VERSION: 3.29.6
@@ -70,15 +64,6 @@ runs:
        echo "${CUDA_KEYRING_SHA} ${CUDA_KEYRING_PACKAGE}" > checksum
        sha256sum -c checksum
        sudo dpkg -i "${CUDA_KEYRING_PACKAGE}"
-
-        # Disable unattended-upgrades to avoid lock issues
-        sudo systemctl mask --now unattended-upgrades
-        sudo systemctl stop --now unattended-upgrades
-
-        sudo apt-get clean
-        sudo rm -rf /var/lib/apt/lists/*
-        sudo apt purge -y unattended-upgrades
-
        sudo apt update
        sudo apt -y install cuda-toolkit-"${TOOLKIT_VERSION}"

--- a/.github/runs-on.yml
+++ b/.github/runs-on.yml
@@ -1,15 +0,0 @@
-runners:
-  cpu-big:
-    family: m6i.32xlarge
-    image: cpu-tests-eu-west-3
-    volume: 200gb
-    spot: false
-  cpu-small:
-    family: m6i.4xlarge
-    image: cpu-tests-eu-west-3
-    volume: 200gb
-    spot: false
-
-images:
-  cpu-tests-eu-west-3:
-    ami: "ami-0a786ffdb1411fac4"  # Ubuntu 24.04
--- a/.github/workflows/aws_tfhe_backward_compat_tests.yml
+++ b/.github/workflows/aws_tfhe_backward_compat_tests.yml
@@ -1,5 +1,5 @@
-# Run data related tests
-name: aws_data_tests
+# Run backward compatibility tests
+name: aws_tfhe_backward_compat_tests

 env:
  CARGO_TERM_COLOR: always
@@ -14,7 +14,9 @@ env:
  SLACKIFY_MARKDOWN: true
  PULL_REQUEST_MD_LINK: ""
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_16"

 on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
@@ -30,17 +32,41 @@ permissions:
 # zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning

 jobs:
-  data-tests:
-    name: aws_data_tests/data-tests (bpr)
-    if: (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs') ||
-      github.event_name != 'push'
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-small"
+  setup-instance:
+    name: aws_tfhe_backward_compat_tests/setup-instance
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+    steps:
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-small
+
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
+
+  backward-compat-tests:
+    name: aws_tfhe_backward_compat_tests/backward-compat-tests (bpr)
+    needs: [ setup-instance ]
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    concurrency:
      group: ${{ github.workflow_ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }}
      cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'true' # Needed to pull lfs data
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -49,24 +75,22 @@ jobs:
      - name: Get LFS data sha
        id: hash-lfs-data
        run: |
-          SHA=$(git lfs ls-files -l -I utils/tfhe-backward-compat-data,tests/corrupted_inputs_deserialization | sha256sum | cut -d' ' -f1)
+          SHA=$(git lfs ls-files -l -I utils/tfhe-backward-compat-data | sha256sum | cut -d' ' -f1)
          echo "sha=${SHA}" >> "${GITHUB_OUTPUT}"

      - name: Retrieve data from cache
        id: retrieve-data-cache
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
+        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
        with:
          path: |
            utils/tfhe-backward-compat-data/**/*.cbor
            utils/tfhe-backward-compat-data/**/*.bcode
-            tests/corrupted_inputs_deserialization/**/*.bcode
          key: ${{ steps.hash-lfs-data.outputs.sha }}

      - name: Pull test data
        if: steps.retrieve-data-cache.outputs.cache-hit != 'true'
        run: |
          make pull_backward_compat_data
-          make pull_corrupted_inputs_data

      # Pull token was stored by action/checkout to be used by lfs, we don't need it anymore
      - name: Remove git credentials
@@ -82,19 +106,14 @@ jobs:
        run: |
          make test_backward_compatibility_ci

-      - name: Run corrupted inputs deserialization tests
-        run: |
-          make test_corrupted_inputs_ci
-
      - name: Store data in cache
        if: steps.retrieve-data-cache.outputs.cache-hit != 'true'
        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
+        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
        with:
          path: |
            utils/tfhe-backward-compat-data/**/*.cbor
            utils/tfhe-backward-compat-data/**/*.bcode
-            tests/corrupted_inputs_deserialization/**/*.bcode
          key: ${{ steps.hash-lfs-data.outputs.sha }}

      - name: Set pull-request URL
@@ -112,3 +131,27 @@ jobs:
        env:
          SLACK_COLOR: ${{ job.status }}
          SLACK_MESSAGE: "Backward compatibility tests finished with status: ${{ job.status }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
+
+  teardown-instance:
+    name: aws_tfhe_backward_compat_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, backward-compat-tests ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (backward-compat-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/aws_tfhe_fast_tests.yml
+++ b/.github/workflows/aws_tfhe_fast_tests.yml
@@ -15,6 +15,9 @@ env:
  IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
  PULL_REQUEST_MD_LINK: ""
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_64-22.04"

 on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
@@ -36,7 +39,6 @@ jobs:
      csprng_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.csprng_any_changed }}
      zk_pok_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.zk_pok_any_changed }}
      versionable_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.versionable_any_changed }}
-      safe_serialize_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.safe_serialize_any_changed }}
      core_crypto_test: ${{ env.IS_PULL_REQUEST == 'false' ||
        steps.changed-files.outputs.core_crypto_any_changed ||
        steps.changed-files.outputs.dependencies_any_changed }}
@@ -61,15 +63,15 @@ jobs:
      any_file_changed: ${{ env.IS_PULL_REQUEST == 'false' || steps.aggregated-changes.outputs.any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
-          persist-credentials: "false"
+          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            dependencies:
@@ -79,7 +81,6 @@ jobs:
              - tfhe-zk-pok/**
              - utils/tfhe-versionable/**
              - utils/tfhe-versionable-derive/**
-              - utils/tfhe-safe-serialize/**
            csprng:
              - tfhe-csprng/**
            zk_pok:
@@ -87,8 +88,6 @@ jobs:
            versionable:
              - utils/tfhe-versionable/**
              - utils/tfhe-versionable-derive/**
-            safe_serialize:
-              - utils/tfhe-safe-serialize/**
            core_crypto:
              - tfhe/src/core_crypto/**
            boolean:
@@ -125,7 +124,6 @@ jobs:
          steps.changed-files.outputs.csprng_any_changed == 'true' ||
          steps.changed-files.outputs.zk_pok_any_changed == 'true' ||
          steps.changed-files.outputs.versionable_any_changed == 'true' ||
-          steps.changed-files.outputs.safe_serialize_any_changed == 'true' ||
          steps.changed-files.outputs.core_crypto_any_changed == 'true' ||
          steps.changed-files.outputs.boolean_any_changed == 'true' ||
          steps.changed-files.outputs.shortint_any_changed == 'true' ||
@@ -136,20 +134,46 @@ jobs:
        run: |
          echo "any_changed=true" >> "$GITHUB_OUTPUT"

-  fast-tests:
-    name: Fast CPU tests
-    needs: should-run
+  setup-instance:
+    name: aws_tfhe_fast_tests/setup-instance
    if: github.event_name == 'workflow_dispatch' ||
      (github.event_name != 'workflow_dispatch' && needs.should-run.outputs.any_file_changed == 'true')
+    needs: should-run
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+    steps:
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-big
+
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
+
+  fast-tests:
+    name: Fast CPU tests
+    needs: [ should-run, setup-instance ]
    concurrency:
      group: ${{ github.workflow_ref }}
      cancel-in-progress: true
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-big"
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
-          persist-credentials: "false"
+          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Install latest stable
@@ -174,11 +198,6 @@ jobs:
        run: |
          make test_versionable

-      - name: Run tfhe-safe-serialize tests
-        if: needs.should-run.outputs.safe_serialize_test == 'true'
-        run: |
-          make test_safe_serialize
-
      - name: Run core tests
        if: needs.should-run.outputs.core_crypto_test == 'true'
        run: |
@@ -200,7 +219,7 @@ jobs:

      - name: Node cache restoration
        id: node-cache
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
+        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
        with:
          path: |
            ~/.nvm
@@ -213,7 +232,7 @@ jobs:
          make install_node

      - name: Node cache save
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
+        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
        if: steps.node-cache.outputs.cache-hit != 'true'
        with:
          path: |
@@ -270,3 +289,27 @@ jobs:
        env:
          SLACK_COLOR: ${{ job.status }}
          SLACK_MESSAGE: "Fast AWS tests finished with status: ${{ job.status }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
+
+  teardown-instance:
+    name: aws_tfhe_fast_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, fast-tests ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (fast-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/aws_tfhe_integer_tests.yml
+++ b/.github/workflows/aws_tfhe_integer_tests.yml
@@ -17,7 +17,9 @@ env:
  TFHE_RS_CLEAR_IN_MEMORY_KEY_CACHE: "1"
  NO_BIG_PARAMS: FALSE
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_64-22.04"

 on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
@@ -48,7 +50,7 @@ jobs:
        steps.changed-files.outputs.integer_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -56,7 +58,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            integer:
@@ -69,22 +71,48 @@ jobs:
              - tfhe/src/integer/**
              - .github/workflows/aws_tfhe_integer_tests.yml

-  unsigned-integer-tests:
-    name: aws_tfhe_integer_tests/unsigned-integer-tests
+  setup-instance:
+    name: aws_tfhe_integer_tests/setup-instance
    needs: should-run
    if:
      (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs' && needs.should-run.outputs.integer_test == 'true') ||
      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') ||
      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.integer_test == 'true') ||
      github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+    steps:
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-big
+
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
+
+  unsigned-integer-tests:
+    name: aws_tfhe_integer_tests/unsigned-integer-tests
+    needs: setup-instance
    concurrency:
      group: ${{ github.workflow_ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }}
      cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-big"
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    timeout-minutes: 480 # 8 hours
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: "false"
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -130,3 +158,27 @@ jobs:
        env:
          SLACK_COLOR: ${{ job.status }}
          SLACK_MESSAGE: "Unsigned Integer tests finished with status: ${{ job.status }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
+
+  teardown-instance:
+    name: aws_tfhe_integer_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [setup-instance, unsigned-integer-tests]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (unsigned-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/aws_tfhe_noise_checks.yml
+++ b/.github/workflows/aws_tfhe_noise_checks.yml
@@ -13,7 +13,8 @@ env:
  SLACKIFY_MARKDOWN: true
  PULL_REQUEST_MD_LINK: ""
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}

 on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
@@ -59,7 +60,7 @@ jobs:
    timeout-minutes: 1440
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/aws_tfhe_signed_integer_tests.yml
+++ b/.github/workflows/aws_tfhe_signed_integer_tests.yml
@@ -17,7 +17,9 @@ env:
  TFHE_RS_CLEAR_IN_MEMORY_KEY_CACHE: "1"
  NO_BIG_PARAMS: FALSE
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_64-22.04"

 on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
@@ -49,7 +51,7 @@ jobs:
        steps.changed-files.outputs.integer_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -57,7 +59,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            integer:
@@ -70,21 +72,47 @@ jobs:
              - tfhe/src/integer/**
              - .github/workflows/aws_tfhe_signed_integer_tests.yml

-  signed-integer-tests:
-    name: aws_tfhe_signed_integer_tests/signed-integer-tests
+  setup-instance:
+    name: aws_tfhe_signed_integer_tests/setup-instance
    needs: should-run
    if:
      (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs' && needs.should-run.outputs.integer_test == 'true') ||
      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') ||
      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.integer_test == 'true') ||
      github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+    steps:
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-big
+
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
+
+  signed-integer-tests:
+    name: aws_tfhe_signed_integer_tests/signed-integer-tests
+    needs: setup-instance
    concurrency:
      group: ${{ github.workflow_ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }}
      cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-big"
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: "false"
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -134,3 +162,27 @@ jobs:
        env:
          SLACK_COLOR: ${{ job.status }}
          SLACK_MESSAGE: "Signed Integer tests finished with status: ${{ job.status }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
+
+  teardown-instance:
+    name: aws_tfhe_signed_integer_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [setup-instance, signed-integer-tests]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (signed-integer-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/aws_tfhe_tests.yml
+++ b/.github/workflows/aws_tfhe_tests.yml
@@ -14,7 +14,9 @@ env:
  IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
  PULL_REQUEST_MD_LINK: ""
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_64-22.04"

 on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
@@ -70,7 +72,7 @@ jobs:
      any_file_changed: ${{ env.IS_PULL_REQUEST == 'false' || steps.aggregated-changes.outputs.any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -78,7 +80,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            dependencies:
@@ -141,18 +143,46 @@ jobs:
        run: |
          echo "any_changed=true" >> "$GITHUB_OUTPUT"

-  cpu-tests:
-    name: aws_tfhe_tests/cpu-tests
-    needs: should-run
+  setup-instance:
+    name: aws_tfhe_tests/setup-instance
    if: github.event_name != 'pull_request' ||
      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.any_file_changed == 'true')
+    needs: should-run
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+    steps:
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-big
+
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
+
+  cpu-tests:
+    name: aws_tfhe_tests/cpu-tests
+    if: github.event_name != 'pull_request' ||
+      (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped')
+    needs: [ should-run, setup-instance ]
    concurrency:
      group: ${{ github.workflow_ref }}_${{github.event_name}}
      cancel-in-progress: true
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-big"
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -239,3 +269,27 @@ jobs:
        env:
          SLACK_COLOR: ${{ job.status }}
          SLACK_MESSAGE: "CPU tests finished with status: ${{ job.status }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
+
+  teardown-instance:
+    name: aws_tfhe_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, cpu-tests ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (cpu-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/aws_tfhe_wasm_tests.yml
+++ b/.github/workflows/aws_tfhe_wasm_tests.yml
@@ -13,12 +13,15 @@ env:
  SLACKIFY_MARKDOWN: true
  PULL_REQUEST_MD_LINK: ""
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_16"

 on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
  workflow_dispatch:
  pull_request:
-    types: [labeled]
+    types: [ labeled ]

 permissions:
  contents: read
@@ -26,59 +29,44 @@ permissions:
 # zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning

 jobs:
-  should-run:
-    name: aws_tfhe_wasm_tests/should-run
-    if: github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'approved')
+  setup-instance:
+    name: aws_tfhe_wasm_tests/setup-instance
+    if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'approved') }}
    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read # Needed to check for file change
    outputs:
-      wasm_test: ${{ github.event_name == 'workflow_dispatch' ||
-        steps.changed-files.outputs.wasm_any_changed }}
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
        with:
-          fetch-depth: 0
-          persist-credentials: "false"
-          token: ${{ env.CHECKOUT_TOKEN }}
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-small

-      - name: Check for file changes
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files_yaml: |
-            wasm:
-                - Cargo.toml
-                - tfhe/Cargo.toml
-                - tfhe-csprng/**
-                - tfhe-fft/**
-                - tfhe-zk-pok/**
-                - tfhe/src/core_crypto/**
-                - tfhe/src/shortint/**
-                - tfhe/src/integer/**
-                - tfhe/src/high_level_api/**
-                - tfhe/src/js_on_wasm_api/**
-                - tfhe/js_on_wasm_tests/**
-                - tfhe/web_wasm_parallel_tests/**
-                - utils/tfhe-versionable/**
-                - utils/tfhe-safe-serialize/**
-                - .github/workflows/aws_tfhe_wasm_tests.yml
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"

  wasm-tests:
    name: aws_tfhe_wasm_tests/wasm-tests
-    needs: should-run
-    if: github.event_name == 'workflow_dispatch' ||
-      (contains(github.event.label.name, 'approved') && needs.should-run.outputs.wasm_test == 'true')
+    needs: setup-instance
    concurrency:
      group: ${{ github.workflow_ref }}_${{github.event_name}}
      cancel-in-progress: true
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-small"
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
-          persist-credentials: "false"
+          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Install latest stable
@@ -92,7 +80,7 @@ jobs:

      - name: Node cache restoration
        id: node-cache
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
+        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
        with:
          path: |
            ~/.nvm
@@ -105,7 +93,7 @@ jobs:
          make install_node

      - name: Node cache save
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
+        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
        if: steps.node-cache.outputs.cache-hit != 'true'
        with:
          path: |
@@ -117,8 +105,6 @@ jobs:
        run: |
          make install_chrome_browser
          make install_chrome_web_driver
-          make install_firefox_browser
-          make install_firefox_web_driver

      - name: Run fmt checks
        run: |
@@ -128,20 +114,9 @@ jobs:
        run: |
          make test_nodejs_wasm_api_ci

-      - name: Run wasm_par_mq tests
-        run: |
-          make test_wasm_par_mq_chrome_ci
-          make test_wasm_par_mq_firefox_ci
-
      - name: Run parallel wasm tests
        run: |
          make test_web_js_api_parallel_chrome_ci
-          make test_web_js_api_parallel_firefox_ci
-
-      - name: Run cross origin wasm tests
-        run: |
-          make test_web_js_api_cross_origin_chrome_ci
-          make test_web_js_api_cross_origin_firefox_ci

      - name: Run x86_64/wasm zk compatibility tests
        run: |
@@ -162,3 +137,27 @@ jobs:
        env:
          SLACK_COLOR: ${{ job.status }}
          SLACK_MESSAGE: "WASM tests finished with status: ${{ job.status }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
+
+  teardown-instance:
+    name: aws_tfhe_wasm_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, wasm-tests ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (wasm-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/backward_compat_pr_change_report.yml
+++ b/.github/workflows/backward_compat_pr_change_report.yml
@@ -1,89 +0,0 @@
-# On PR: when snapshot files are modified, generates a diff report between
-# the base branch and the PR snapshots, then posts it as a PR comment.
-# Helps reviewers understand what versioned types changed.
-name: backward_compat_pr_change_report
-
-on:
-  pull_request:
-
-env:
-  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref }}
-  cancel-in-progress: true
-
-jobs:
-  should-run:
-    name: backward_compat_pr_change_report/should-run
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read  # Needed to check for file change
-    outputs:
-      backward_report: ${{ steps.changed-files.outputs.backward_any_changed }}
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
-
-      - name: Check for file changes
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files_yaml: |
-            backward:
-              - utils/tfhe-lints/snapshots/*.json
-
-  change-report:
-    name: backward_compat_pr_change_report/change-report (bpr)
-    runs-on: ubuntu-latest
-    needs: should-run
-    if:
-      needs.should-run.outputs.backward_report == 'true'
-    permissions:
-      pull-requests: write # To send and modify message in the PR
-    steps:
-      - name: Checkout PR head
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          persist-credentials: 'false'
-          path: head
-
-      - name: Checkout base branch
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          persist-credentials: 'false'
-          ref: ${{ github.event.pull_request.base.sha }}
-          path: base
-
-      - name: Generate diff report
-        id: report
-        run: |
-          cd head && make backward_snapshot_report \
-            BASE_SNAPSHOT_DIR=../base/utils/tfhe-lints/snapshots \
-            HEAD_SNAPSHOT_DIR=utils/tfhe-lints/snapshots \
-            OUTPUT_FILE=../report.md
-
-          if [ -s ../report.md ]; then
-            echo "has_report=true" >> "$GITHUB_OUTPUT"
-          elif [ -f ../report.md ]; then
-            echo "has_report=false" >> "$GITHUB_OUTPUT"
-          else
-            echo "::error::report.md was not created — something went wrong"
-            exit 1
-          fi
-
-      - name: Post/refresh backward-compat report
-        if: steps.report.outputs.has_report == 'true'
-        uses: marocchino/sticky-pull-request-comment@0ea0beb66eb9baf113663a64ec522f60e49231c0
-        with:
-          header: backward-compat-snapshot
-          hide_and_recreate: true
-          hide_classify: OUTDATED
-          path: report.md
--- a/.github/workflows/backward_compat_snapshot_consistency.yml
+++ b/.github/workflows/backward_compat_snapshot_consistency.yml
@@ -1,54 +0,0 @@
-# Generates snapshots from code and diffs against committed base files.
-# Ensures snapshots are up to date on PRs and catches stale ones on main.
-name: backward_compat_snapshot_consistency
-
-env:
-  CARGO_TERM_COLOR: always
-  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-  RUST_BACKTRACE: "full"
-  RUST_MIN_STACK: "8388608"
-  SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-  SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
-  SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
-  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-  SLACKIFY_MARKDOWN: true
-
-on:
-  workflow_dispatch:
-  pull_request:
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-jobs:
-  snapshot-consistency:
-    name: backward_compat_snapshot_consistency/snapshot-consistency (bpr)
-    runs-on: ubuntu-latest
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.head_ref || github.sha }}
-      cancel-in-progress: ${{ github.event_name != 'push' }}
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          persist-credentials: 'false'
-
-      - name: Generate snapshots from current code
-        run: make backward_snapshot_head
-
-      - name: Check snapshot consistency
-        run: ./scripts/check_snapshot_consistency.sh
-
-      - name: Slack Notification
-        if: ${{ failure() || (cancelled() && github.event_name == 'push') }}
-        continue-on-error: true
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
-        env:
-          SLACK_COLOR: ${{ job.status }}
-          SLACK_MESSAGE: >-
-            Backward compatibility snapshot consistency check: ${{ job.status }}.
-            Snapshots may be outdated — run `make backward_snapshot_base` and commit.
-            [See details](${{ env.ACTION_RUN_URL }})
--- a/.github/workflows/benchmark_cpu.yml
+++ b/.github/workflows/benchmark_cpu.yml
@@ -14,15 +14,12 @@ on:
          - signed_integer
          - integer_compression
          - integer_zk
-          - msm_zk
          - shortint
          - shortint_oprf
-          - hlapi_unsigned
-          - hlapi_signed
-          - hlapi_erc7984
+          - hlapi
+          - hlapi_erc20
          - hlapi_dex
          - hlapi_noise_squash
-          - hlapi_kvstore
          - tfhe_zk_pok
          - boolean
          - pbs
@@ -72,45 +69,8 @@ permissions: {}
 # zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow

 jobs:
-  parse-inputs:
-    name: benchmark_cpu/parse-inputs
-    runs-on: ubuntu-latest
-    outputs:
-      additional_file_to_parse: ${{ steps.set_file_to_parse.outputs.additional_file_to_parse }}
-    steps:
-      - name: Get additional file to parse
-        id: set_file_to_parse
-        shell: python
-        env:
-          INPUTS_COMMAND: ${{ inputs.command }}
-        run: |
-          import os
-
-          inputs_command = os.environ["INPUTS_COMMAND"]
-          output_file = os.environ["GITHUB_OUTPUT"]
-
-          files_to_parse = []
-
-          if inputs_command == "integer_zk":
-            files_to_parse.append("pke_zk_crs_sizes.csv")
-          elif inputs_command == "hlapi_erc7984":
-            files_to_parse.append("erc7984_pbs_count.csv")
-          elif inputs_command == "hlapi_dex":
-            files_to_parse.extend(
-              [
-                "dex_swap_request_update_dex_balance_pbs_count.csv",
-                "dex_swap_request_finalize_pbs_count.csv",
-                "dex_swap_claim_prepare_pbs_count.csv",
-                "dex_swap_claim_update_dex_balance_pbs_count.csv"
-              ]
-            )
-
-          with open(output_file, "a") as f:
-            f.write(f"""additional_file_to_parse={",".join(files_to_parse)}\n""")
-
  run-benchmarks:
    name: benchmark_cpu/run-benchmarks
-    needs: parse-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
      command: ${{ inputs.command }}
@@ -118,7 +78,6 @@ jobs:
      bench_type: ${{ inputs.bench_type }}
      params_type: ${{ inputs.params_type }}
      precisions_set: ${{ inputs.precisions_set }}
-      additional_file_to_parse: ${{ needs.parse-inputs.outputs.additional_file_to_parse }}
    secrets:
      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
--- a/.github/workflows/benchmark_cpu_common.yml
+++ b/.github/workflows/benchmark_cpu_common.yml
@@ -107,7 +107,7 @@ jobs:
            ]:
              f.write(f"""{env_name}=["{'", "'.join(values_to_join)}"]\n""")

-      - name: Set matrix arguments outputs
+      - name: Set martix arguments outputs
        id: set_matrix_args
        run: | # zizmor: ignore[template-injection] these env variable are safe
          {
@@ -149,7 +149,7 @@ jobs:
        params_type: ${{ fromJSON(needs.prepare-matrix.outputs.params_type) }}
    steps:
      - name: Checkout tfhe-rs repo with tags
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -223,13 +223,13 @@ jobs:
          results_type: ${{ inputs.additional_results_type }}

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_${{ matrix.command }}_${{ matrix.op_flavor }}_${{ matrix.bench_type }}_${{ matrix.params_type }}
          path: ${{ env.RESULTS_FILENAME }}

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
--- a/.github/workflows/benchmark_cpu_weekly.yml
+++ b/.github/workflows/benchmark_cpu_weekly.yml
@@ -24,7 +24,6 @@ permissions: {}
 jobs:
  prepare-inputs:
    name: benchmark_cpu_weekly/prepare-inputs
-    if: github.repository == 'zama-ai/tfhe-rs'
    runs-on: ubuntu-latest
    outputs:
      is_weekly_bench_group_1: ${{ steps.check_bench_group_1.outputs.is_weekly_bench_group_1 }}
@@ -73,7 +72,8 @@ jobs:

  run-benchmarks-integer:
    name: benchmark_cpu_weekly/run-benchmarks-integer
-    if: needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true' || needs.prepare-inputs.outputs.is_quarterly_bench == 'true'
+    if: github.repository == 'zama-ai/tfhe-rs' 
+      && (needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true' || needs.prepare-inputs.outputs.is_quarterly_bench == 'true')
    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
@@ -92,7 +92,8 @@ jobs:

  run-benchmarks-integer-zk-pke:
    name: benchmark_cpu_weekly/run-benchmarks-integer-zk-pke
-    if: needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    if: github.repository == 'zama-ai/tfhe-rs'
+      && needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
@@ -108,14 +109,15 @@ jobs:
      SLAB_URL: ${{ secrets.SLAB_URL }}
      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}

-  run-benchmarks-hlapi-erc7984:
-    name: benchmark_cpu_weekly/run-benchmarks-hlapi-erc7984
-    if: needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
+  run-benchmarks-hlapi-erc20:
+    name: benchmark_cpu_weekly/run-benchmarks-hlapi-erc20
+    if: github.repository == 'zama-ai/tfhe-rs'
+      && needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
-      command: hlapi_erc7984
-      additional_file_to_parse: erc7984_pbs_count.csv
+      command: hlapi_erc20
+      additional_file_to_parse: erc20_pbs_count.csv
    secrets:
      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
@@ -128,7 +130,8 @@ jobs:

  run-benchmarks-hlapi-dex:
    name: benchmark_cpu_weekly/run-benchmarks-hlapi-dex
-    if: needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    if: github.repository == 'zama-ai/tfhe-rs'
+      && needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
@@ -146,7 +149,8 @@ jobs:

  run-benchmarks-core-crypto:
    name: benchmark_cpu_weekly/run-benchmarks-core-crypto
-    if: needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    if: github.repository == 'zama-ai/tfhe-rs'
+      && needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
@@ -163,7 +167,8 @@ jobs:

  run-benchmarks-shortint:
    name: benchmark_cpu_weekly/run-benchmarks-shortint
-    if: needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true' || needs.prepare-inputs.outputs.is_quarterly_bench == 'true'
+    if: github.repository == 'zama-ai/tfhe-rs'
+      && (needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true' || needs.prepare-inputs.outputs.is_quarterly_bench == 'true')
    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
@@ -181,7 +186,8 @@ jobs:

  run-benchmarks-boolean:
    name: benchmark_cpu_weekly/run-benchmarks-boolean
-    if: needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
+    if: github.repository == 'zama-ai/tfhe-rs'
+      && needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
@@ -200,7 +206,8 @@ jobs:

  run-benchmarks-tfhe-zk-pok:
    name: benchmark_cpu_weekly/run-benchmarks-tfhe-zk-pok
-    if: needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    if: github.repository == 'zama-ai/tfhe-rs'
+      && needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_cpu_common.yml
    with:
--- a/.github/workflows/benchmark_ct_key_sizes.yml
+++ b/.github/workflows/benchmark_ct_key_sizes.yml
@@ -49,7 +49,7 @@ jobs:
    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs repo with tags
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -99,13 +99,13 @@ jobs:
          --append-results

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_ct_key_sizes
          path: ${{ env.RESULTS_FILENAME }}

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
--- a/.github/workflows/benchmark_documentation.yml
+++ b/.github/workflows/benchmark_documentation.yml
@@ -17,10 +17,6 @@ on:
        description: "Run GPU core-crypto benchmarks"
        type: boolean
        default: true
-      run-gpu-zk-benchmarks:
-        description: "Run GPU ZK benchmarks"
-        type: boolean
-        default: true
      run-hpu-benchmarks:
        description: "Run HPU benchmarks"
        type: boolean
@@ -29,6 +25,10 @@ on:
        description: "Generate SVG tables"
        type: boolean
        default: true
+      open-pr:
+        description: "Open a PR with the benchmark results"
+        type: boolean
+        default: false

 permissions: {}

@@ -40,7 +40,7 @@ jobs:
    uses: ./.github/workflows/benchmark_cpu_common.yml
    if: inputs.run-cpu-benchmarks
    with:
-      command: integer,hlapi_erc7984
+      command: integer
      op_flavor: fast_default
      bench_type: both
      precisions_set: documentation
@@ -54,40 +54,6 @@ jobs:
      SLAB_URL: ${{ secrets.SLAB_URL }}
      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}

-  run-benchmarks-cpu-zk-server:
-    name: benchmark_documentation/run-benchmarks-cpu-zk-server
-    uses: ./.github/workflows/benchmark_cpu_common.yml
-    if: inputs.run-cpu-benchmarks
-    with:
-      command: integer_zk
-      op_flavor: default
-      bench_type: both
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      JOB_SECRET: ${{ secrets.JOB_SECRET }}
-      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-      SLAB_URL: ${{ secrets.SLAB_URL }}
-      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
-
-  run-benchmarks-cpu-zk-client:
-    name: benchmark_documentation/run-benchmarks-cpu-zk-client
-    uses: ./.github/workflows/benchmark_wasm_client_common.yml
-    if: inputs.run-cpu-benchmarks
-    with:
-      browser: chrome
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      JOB_SECRET: ${{ secrets.JOB_SECRET }}
-      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-      SLAB_URL: ${{ secrets.SLAB_URL }}
-      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
-
  run-benchmarks-gpu-integer:
    name: benchmark_documentation/run-benchmarks-gpu-integer
    uses: ./.github/workflows/benchmark_gpu_common.yml
@@ -95,7 +61,7 @@ jobs:
    with:
      profile: multi-h100-sxm5
      hardware_name: n3-H100-SXM5x8
-      command: integer_multi_bit,hlapi_erc7984
+      command: integer_multi_bit
      op_flavor: fast_default
      bench_type: both
      precisions_set: documentation
@@ -114,7 +80,7 @@ jobs:
    uses: ./.github/workflows/benchmark_hpu_common.yml
    if: inputs.run-hpu-benchmarks
    with:
-      command: integer,hlapi_erc7984
+      command: integer
      op_flavor: default
      bench_type: both
      precisions_set: documentation
@@ -169,42 +135,20 @@ jobs:
      SLAB_URL: ${{ secrets.SLAB_URL }}
      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}

-  run-benchmarks-gpu-zk-server:
-    name: benchmark_documentation/run-benchmarks-gpu-zk-server
-    uses: ./.github/workflows/benchmark_gpu_common.yml
-    if: inputs.run-gpu-zk-benchmarks
-    with:
-      profile: multi-h100-sxm5
-      hardware_name: n3-H100-SXM5x8
-      command: integer_zk
-      op_flavor: default
-      bench_type: both
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      JOB_SECRET: ${{ secrets.JOB_SECRET }}
-      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-      SLAB_URL: ${{ secrets.SLAB_URL }}
-      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
-
  generate-svgs-with-benchmarks-run:
    name: benchmark-documentation/generate-svgs-with-benchmarks-run
    if: ${{ always() &&
-      (inputs.run-cpu-benchmarks || inputs.run-gpu-integer-benchmarks || inputs.run-gpu-core-crypto-benchmarks || inputs.run-gpu-zk-benchmarks || inputs.run-hpu-benchmarks) &&
+      (inputs.run-cpu-benchmarks || inputs.run-gpu-integer-benchmarks || inputs.run-gpu-core-crypto-benchmarks ||inputs.run-hpu-benchmarks) &&
      inputs.generate-svgs }}
    needs: [
      run-benchmarks-cpu-integer, run-benchmarks-gpu-integer, run-benchmarks-hpu-integer,
-      run-benchmarks-cpu-zk-server, run-benchmarks-cpu-zk-client,
-      run-benchmarks-cpu-core-crypto, run-benchmarks-gpu-core-crypto,
-      run-benchmarks-gpu-zk-server
+      run-benchmarks-cpu-core-crypto, run-benchmarks-gpu-core-crypto
    ]
    uses: ./.github/workflows/generate_svgs.yml
    with:
      time_span_days: 5
      generate-cpu-svgs: ${{ inputs.run-cpu-benchmarks }}
-      generate-gpu-svgs: ${{ inputs.run-gpu-integer-benchmarks || inputs.run-gpu-core-crypto-benchmarks || inputs.run-gpu-zk-benchmarks }}
+      generate-gpu-svgs: ${{ inputs.run-gpu-integer-benchmarks || inputs.run-gpu-core-crypto-benchmarks }}
      generate-hpu-svgs: ${{ inputs.run-hpu-benchmarks }}
    secrets:
      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
@@ -213,7 +157,7 @@ jobs:

  generate-svgs-without-benchmarks-run:
    name: benchmark-documentation/generate-svgs-without-benchmarks-run
-    if: ${{ !(inputs.run-cpu-benchmarks || inputs.run-gpu-integer-benchmarks || inputs.run-gpu-core-crypto-benchmarks || inputs.run-gpu-zk-benchmarks || inputs.run-hpu-benchmarks) &&
+    if: ${{ !(inputs.run-cpu-benchmarks || inputs.run-gpu-integer-benchmarks || inputs.run-gpu-core-crypto-benchmarks || inputs.run-hpu-benchmarks) &&
      inputs.generate-svgs }}
    uses: ./.github/workflows/generate_svgs.yml
    with:
@@ -222,3 +166,54 @@ jobs:
      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
+
+  open-pr:
+    name: benchmark-documentation/open-pr
+    needs: [ generate-svgs-with-benchmarks-run, generate-svgs-without-benchmarks-run ]
+    if: ${{ always() && inputs.open-pr &&
+      (needs.generate-svgs-with-benchmarks-run.result == 'success' || needs.generate-svgs-without-benchmarks-run.result == 'success') }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Needed to create a commit
+      pull-requests: write # Needed to open a pull-request
+    env:
+      PATH_TO_DOC_ASSETS: tfhe/docs/.gitbook/assets
+    steps:
+      - name: Checkout tfhe-rs
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: 'false'
+
+      - name: Download SVG tables
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          path: svg_tables
+          merge-multiple: 'true'
+
+      # Perform best effort to copy SVG tables. If the copy fails or files don't exist, the PR will still be created.
+      - name: Copy SVG tables to documentation location
+        run: |
+          cp -f svg_tables/*integer-benchmark*.svg "${PATH_TO_DOC_ASSETS}" 2>/dev/null
+          cp -f svg_tables/*pbs-benchmark-tuniform*.svg "${PATH_TO_DOC_ASSETS}" 2>/dev/null
+          cp -f svg_tables/cpu-gpu-hpu-integer-benchmark-fheuint64-tuniform-2m128-ciphertext.svg "${PATH_TO_DOC_ASSETS}" 2>/dev/null
+
+      - name: Get current date
+        id: get-date
+        run: |
+          echo "date=$(date '+%g_%m_%d_%Hh%Mm%Ss')" >> "${GITHUB_OUTPUT}"
+
+      - name: Create pull-request
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        with:
+          sign-commits: true # Commit will be signed by github-actions bot
+          add-paths: ${{ env.PATH_TO_DOC_ASSETS }}/*.svg
+          branch: gh-bot/docs/update-svg-tables-${{ steps.get-date.outputs.date }}
+          commit-message: |
+            chore(docs): update benchmark results for all backends
+
+            Automated documentation update from tfhe-rs CI pipeline.
+          title: |
+            [CI] chore(docs): update benchmark results for all backends
+          body: |
+            Documentation update triggered by GitHub workflow.
+          labels: documentation
--- a/.github/workflows/benchmark_gpu.yml
+++ b/.github/workflows/benchmark_gpu.yml
@@ -31,13 +31,10 @@ on:
          - pbs128
          - ks
          - ks_pbs
-          - tfhe_zk_pok
-          - msm_zk
          - integer_zk
-          - integer_zk_experimental
          - integer_aes
          - integer_aes256
-          - hlapi_erc7984
+          - hlapi_erc20
          - hlapi_dex
          - hlapi_noise_squash
      op_flavor:
@@ -88,7 +85,6 @@ jobs:
    outputs:
      profile: ${{ steps.parse_profile.outputs.profile }}
      hardware_name: ${{ steps.parse_hardware_name.outputs.name }}
-      additional_file_to_parse: ${{ steps.set_file_to_parse.outputs.additional_file_to_parse }}
    env:
      INPUTS_PROFILE: ${{ inputs.profile }}
    steps:
@@ -108,36 +104,6 @@ jobs:
          NAME=$(echo "${INPUTS_PROFILE}" | sed 's|.*[[:space:]](\(.*\))|\1|')
          echo "name=${NAME}" >> "${GITHUB_OUTPUT}"

-      - name: Get additional file to parse
-        id: set_file_to_parse
-        shell: python
-        env:
-          INPUTS_COMMAND: ${{ inputs.command }}
-        run: |
-          import os
-
-          inputs_command = os.environ["INPUTS_COMMAND"]
-          output_file = os.environ["GITHUB_OUTPUT"]
-
-          files_to_parse = []
-
-          if inputs_command == "integer_zk":
-            files_to_parse.append("pke_zk_crs_sizes.csv")
-          elif inputs_command == "hlapi_erc7984":
-            files_to_parse.append("erc7984_pbs_count.csv")
-          elif inputs_command == "hlapi_dex":
-            files_to_parse.extend(
-              [
-                "dex_swap_request_update_dex_balance_pbs_count.csv",
-                "dex_swap_request_finalize_pbs_count.csv",
-                "dex_swap_claim_prepare_pbs_count.csv",
-                "dex_swap_claim_update_dex_balance_pbs_count.csv"
-              ]
-            )
-
-          with open(output_file, "a") as f:
-            f.write(f"""additional_file_to_parse={",".join(files_to_parse)}\n""")
-
  run-benchmarks:
    name: benchmark_gpu/run-benchmarks
    needs: parse-inputs
@@ -150,7 +116,6 @@ jobs:
      bench_type: ${{ inputs.bench_type }}
      params_type: ${{ inputs.params_type }}
      precisions_set: ${{ inputs.precisions_set }}
-      additional_file_to_parse: ${{ needs.parse-inputs.outputs.additional_file_to_parse }}
    secrets:
      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
--- a/.github/workflows/benchmark_gpu_4090.yml
+++ b/.github/workflows/benchmark_gpu_4090.yml
@@ -40,7 +40,7 @@ jobs:
    timeout-minutes: 1440 # 24 hours
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -63,7 +63,7 @@ jobs:
          toolchain: nightly

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
@@ -89,7 +89,7 @@ jobs:
          REF_NAME: ${{ github.ref_name }}

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_integer_multi_bit_gpu_default
          path: ${{ env.RESULTS_FILENAME }}
@@ -123,7 +123,7 @@ jobs:

    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -146,7 +146,7 @@ jobs:
          toolchain: nightly

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
@@ -173,7 +173,7 @@ jobs:
          REF_NAME: ${{ github.ref_name }}

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_core_crypto
          path: ${{ env.RESULTS_FILENAME }}
--- a/.github/workflows/benchmark_gpu_common.yml
+++ b/.github/workflows/benchmark_gpu_common.yml
@@ -28,8 +28,6 @@ on:
      precisions_set:
        type: string
        default: fast
-      additional_file_to_parse: # Other files to parse, located under tfhe-benchmark/ directory
-        type: string # Use comma separated values to generate an array
    secrets:
      REPO_CHECKOUT_TOKEN:
        required: true
@@ -111,7 +109,7 @@ jobs:
            ]:
              f.write(f"""{env_name}=["{'", "'.join(values_to_join)}"]\n""")

-      - name: Set matrix arguments outputs
+      - name: Set martix arguments outputs
        id: set_matrix_args
        run: | # zizmor: ignore[template-injection] these env variable are safe
          {
@@ -126,10 +124,16 @@ jobs:
    needs: prepare-matrix
    runs-on: ubuntu-latest
    outputs:
-      runner-name: ${{ steps.start-instance.outputs.label }}
+      # Use permanent remote instance label first as on-demand remote instance label output is set before the end of start-remote-instance step.
+      # If the latter fails due to a failed GitHub action runner set up, we have to fallback on the permanent instance.
+      # Since the on-demand remote label is set before failure, we have to do the logical OR in this order,
+      # otherwise we'll try to run the next job on a non-existing on-demand instance.
+      runner-name: ${{ steps.use-permanent-instance.outputs.runner_group || steps.start-remote-instance.outputs.label }}
+      remote-instance-outcome: ${{ steps.start-remote-instance.outcome }}
    steps:
-      - name: Start instance
-        id: start-instance
+      - name: Start remote instance
+        id: start-remote-instance
+        continue-on-error: true
        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
        with:
          mode: start
@@ -139,6 +143,25 @@ jobs:
          backend: ${{ inputs.backend }}
          profile: ${{ inputs.profile }}

+      - name: Acknowledge remote instance failure
+        if: steps.start-remote-instance.outcome == 'failure' &&
+          inputs.profile != 'single-h100'
+        run: |
+          echo "Remote instance instance has failed to start (profile provided: '${INPUTS_PROFILE}')"
+          echo "Permanent instance instance cannot be used as a substitute (profile needed: 'single-h100')"
+          exit 1
+        env:
+          INPUTS_PROFILE: ${{ inputs.profile }}
+
+      # This will allow to fallback on permanent instances running on Hyperstack.
+      - name: Use permanent remote instance
+        id: use-permanent-instance
+        if: env.SECRETS_AVAILABLE == 'true' &&
+          steps.start-remote-instance.outcome == 'failure' &&
+          inputs.profile == 'single-h100'
+        run: |
+          echo "runner_group=h100x1" >> "$GITHUB_OUTPUT"
+
  # Install dependencies only once since cuda-benchmarks uses a matrix strategy, thus running multiple times.
  install-dependencies:
    name: benchmark_gpu_common/install-dependencies
@@ -152,13 +175,14 @@ jobs:
            gcc: 11
    steps:
      - name: Checkout tfhe-rs repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}

      - name: Setup Hyperstack dependencies
+        if: needs.setup-instance.outputs.remote-instance-outcome == 'success'
        uses: ./.github/actions/gpu_setup
        with:
          cuda-version: ${{ matrix.cuda }}
@@ -185,7 +209,7 @@ jobs:
      CUDA_PATH: /usr/local/cuda-${{ matrix.cuda }}
    steps:
      - name: Checkout tfhe-rs repo with tags
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -256,27 +280,14 @@ jobs:
          REF_NAME: ${{ github.ref_name }}
          BENCH_TYPE: ${{ matrix.bench_type }}

-      - name: Parse additional benchmarks results files
-        if: ${{ inputs.additional_file_to_parse }}
-        run: |
-          filenames_list="${filenames}"
-          IFS=','
-          for filename in $filenames_list; do
-            python3 ./ci/benchmark_parser.py "tfhe-benchmark/${filename}" "${RESULTS_FILENAME}" \
-            --object-size \
-            --append-results
-          done
-        env:
-          filenames: ${{ inputs.additional_file_to_parse }}
-
      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_${{ matrix.command }}_${{ matrix.op_flavor }}_${{ inputs.profile }}_${{ matrix.bench_type }}_${{ matrix.params_type }}
          path: ${{ env.RESULTS_FILENAME }}

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
@@ -307,7 +318,7 @@ jobs:

  teardown-instance:
    name: benchmark_gpu_common/teardown-instance
-    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    if: ${{ always() && needs.setup-instance.outputs.remote-instance-outcome == 'success' }}
    needs: [ setup-instance, cuda-benchmarks, slack-notify ]
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/benchmark_gpu_coprocessor.yml
+++ b/.github/workflows/benchmark_gpu_coprocessor.yml
@@ -42,7 +42,7 @@ env:
  OPTIMIZATION_TARGET: "throughput"
  BATCH_SIZE: "5000"
  SCHEDULING_POLICY: "MAX_PARALLELISM"
-  BENCHMARKS: "erc7984"
+  BENCHMARKS: "erc20"
  BRANCH_NAME: ${{ github.ref_name }}
  COMMIT_SHA: ${{ github.sha }}
  SLAB_SECRET: ${{ secrets.JOB_SECRET }}
@@ -50,8 +50,6 @@ env:
 jobs:
  parse-inputs:
    name: benchmark_gpu_coprocessor/parse-inputs
-    if: github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs')
    runs-on: ubuntu-latest
    permissions:
      contents: 'read'
@@ -77,7 +75,7 @@ jobs:
          if [[ ${IS_MANUAL_RUN} == true ]]; then
            PROFILE_RAW="${PROFILE_MANUAL_RUN}"
          else
-            PROFILE_RAW="${PROFILE_SCHEDULED_RUN}"
+            PROFILE_RAW="${PROFILE}"
          fi
          # shellcheck disable=SC2001
          PROFILE_VAL=$(echo "${PROFILE_RAW}" | sed 's|.*[[:space:]](\(.*\))|\1|')
@@ -126,20 +124,13 @@ jobs:
    steps:
      - name: Install git LFS
        run: |
-          # Disable unattended-upgrades to avoid lock issues
-          sudo systemctl mask --now unattended-upgrades
-          sudo systemctl stop --now unattended-upgrades
-
-          sudo apt-get clean
-          sudo rm -rf /var/lib/apt/lists/*
-          sudo apt purge -y unattended-upgrades
-
+          sudo apt-get remove -y unattended-upgrades
          sudo apt-get update
          sudo apt-get install -y git-lfs protobuf-compiler
          git lfs install

      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          path: tfhe-rs
          persist-credentials: false
@@ -150,7 +141,7 @@ jobs:
          ls

      - name: Checkout fhevm
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          repository: zama-ai/fhevm
          persist-credentials: 'false'
@@ -201,10 +192,10 @@ jobs:
          cargo install sqlx-cli

      - name: Install foundry
-        uses: foundry-rs/foundry-toolchain@8789b3e21e6c11b2697f5eb56eddae542f746c10
+        uses: foundry-rs/foundry-toolchain@8b0419c685ef46cb79ec93fbdc131174afceb730

      - name: Cache cargo
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ~/.cargo/registry
@@ -214,14 +205,14 @@ jobs:
          restore-keys: ${{ runner.os }}-cargo-

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Login to Chainguard Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: cgr.dev
          username: ${{ secrets.CGR_USERNAME }}
@@ -232,7 +223,7 @@ jobs:
        working-directory: fhevm/coprocessor/fhevm-engine/tfhe-worker

      - name: Use Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: 20.x

@@ -248,13 +239,13 @@ jobs:
          npm install && npm run deploy:emptyProxies && npx hardhat compile
        working-directory: fhevm/

-      - name: Profile erc7984 no-cmux benchmark on GPU
+      - name: Profile erc20 no-cmux benchmark on GPU
        run: |
          BENCHMARK_BATCH_SIZE="${BATCH_SIZE}" \
          FHEVM_DF_SCHEDULE="${SCHEDULING_POLICY}" \
          BENCHMARK_TYPE="THROUGHPUT_200" \
          OPTIMIZATION_TARGET="${OPTIMIZATION_TARGET}" \
-          make -e "profile_erc7984_gpu"
+          make -e "profile_erc20_gpu"
        working-directory: fhevm/coprocessor/fhevm-engine/tfhe-worker

      - name: Get nsys profile name
@@ -271,7 +262,7 @@ jobs:
      - name: Upload profile artifact
        env:
          REPORT_NAME: ${{ steps.nsys_profile_name.outputs.profile }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ env.REPORT_NAME }}
          path: fhevm/coprocessor/fhevm-engine/tfhe-worker/${{ env.REPORT_NAME }}
@@ -302,13 +293,13 @@ jobs:
        working-directory: fhevm/

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${COMMIT_SHA}_${BENCHMARKS}_${{ needs.parse-inputs.outputs.profile }}
          path: fhevm/$${{ env.RESULTS_FILENAME }}

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
--- a/.github/workflows/benchmark_gpu_weekly.yml
+++ b/.github/workflows/benchmark_gpu_weekly.yml
@@ -1,28 +1,289 @@
-# Run CUDA benchmarks on Hyperstack VM and return parsed results to Slab CI bot.
+# Run CUDA benchmarks on multiple Hyperstack VMs and return parsed results to Slab CI bot.
 name: benchmark_gpu_weekly

-run-name: GPU weekly benchmarks
-
 on:
  schedule:
+    # Weekly schedules are separated in several groups to avoid spawning too many the machines at once thus risking resource shortages.
+    # Group 1
+    # -------
    # Weekly benchmarks will be triggered each Saturday at 1a.m.
    - cron: '0 1 * * 6'
+    # Group 2
+    # -------
+    # Weekly benchmarks will be triggered each Sunday at 1a.m.
+    - cron: '0 1 * * 0'
+    # Group 3
+    # -------
+    # Weekly benchmarks will be triggered each Sunday at 9p.m.
+    - cron: '0 9 * * 0'
+

 permissions: {}

 # zizmor: ignore[concurrency-limits] only GitHub can trigger this workflow

 jobs:
-  run-benchmarks-8-h100-sxm5-summary:
-    name: benchmark_gpu_weekly/run-benchmarks-8-h100-sxm5-summary
-    if: github.repository == 'zama-ai/tfhe-rs'
+  prepare-inputs:
+    name: benchmark_cpu_weekly/prepare-inputs
+    runs-on: ubuntu-latest
+    outputs:
+      is_weekly_bench_group_1: ${{ steps.check_bench_group_1.outputs.is_weekly_bench_group_1 }}
+      is_weekly_bench_group_2: ${{ steps.check_bench_group_2.outputs.is_weekly_bench_group_2 }}
+      is_weekly_bench_group_3: ${{ steps.check_bench_group_3.outputs.is_weekly_bench_group_3 }}
+    steps:
+      - name: Check is weekly bench group 1
+        id: check_bench_group_1
+        run: | # zizmor: ignore[template-injection] this env variable is safe
+          echo "is_weekly_bench_group_1=${{ github.event.schedule == '0 1 * * 6' }}" >> "${GITHUB_OUTPUT}"
+
+      - name: Check is weekly bench group 2
+        id: check_bench_group_2
+        run: | # zizmor: ignore[template-injection] this env variable is safe
+          echo "is_weekly_bench_group_2=${{ github.event.schedule == '0 1 * * 0' }}" >> "${GITHUB_OUTPUT}"
+
+      - name: Check is weekly bench group 3
+        id: check_bench_group_3
+        run: | # zizmor: ignore[template-injection] this env variable is safe
+          echo "is_weekly_bench_group_3=${{ github.event.schedule == '0 9 * * 0' }}" >> "${GITHUB_OUTPUT}"
+
+
+  run-benchmarks-8-h100-sxm5-integer:
+    name: benchmark_gpu_weekly/run-benchmarks-8-h100-sxm5-integer
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    needs: prepare-inputs
    uses: ./.github/workflows/benchmark_gpu_common.yml
    with:
      profile: multi-h100-sxm5
      hardware_name: n3-H100-SXM5x8
-      command: summary
+      command: integer_multi_bit
+      op_flavor: default
+      bench_type: both
+      precisions_set: fast
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  run-benchmarks-8-h100-sxm5-integer-compression:
+    name: benchmark_gpu_weekly/run-benchmarks-8-h100-sxm5-integer-compression
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: multi-h100-sxm5
+      hardware_name: n3-H100-SXM5x8
+      command: integer_compression
+      op_flavor: default
+      bench_type: both
+      precisions_set: fast
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  run-benchmarks-8-h100-sxm5-integer-zk-aes:
+    name: benchmark_gpu_weekly/run-benchmarks-8-h100-sxm5-integer-zk-aes
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: multi-h100-sxm5
+      hardware_name: n3-H100-SXM5x8
+      command: integer_zk,integer_aes,integer_aes256
+      op_flavor: default
+      bench_type: both
+      precisions_set: fast
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  run-benchmarks-8-h100-sxm5-noise-squash:
+    name: benchmark_gpu_weekly/run-benchmarks-8-h100-sxm5-noise-squash
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: multi-h100-sxm5
+      hardware_name: n3-H100-SXM5x8
+      command: hlapi_noise_squash
+      op_flavor: default
+      bench_type: both
+      precisions_set: fast
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  run-benchmarks-1-h100-core-crypto:
+    name: benchmark_gpu_weekly/run-benchmarks-1-h100-core-crypto (1xH100)
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_1 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: single-h100
+      hardware_name: n3-H100x1
+      command: pbs,pbs128,ks,ks_pbs
+      bench_type: latency
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  # -----------------------------------------------------
+  # ERC20 benchmarks
+  # -----------------------------------------------------
+
+  run-benchmarks-1-h100-erc20:
+    name: benchmark_gpu_weekly/run-benchmarks-1-h100-erc20
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: single-h100
+      hardware_name: n3-H100x1
+      command: hlapi_erc20
+      bench_type: both
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  run-benchmarks-2-h100-erc20:
+    name: benchmark_gpu_weekly/run-benchmarks-2-h100-erc20
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: 2-h100
+      hardware_name: n3-H100x2
+      command: hlapi_erc20
+      bench_type: both
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  run-benchmarks-8-h100-erc20:
+    name: benchmark_gpu_weekly/run-benchmarks-8-h100-erc20
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: multi-h100
+      hardware_name: n3-H100-SXM5x8
+      command: hlapi_erc20
+      bench_type: both
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  # -----------------------------------------------------
+  # DEX benchmarks
+  # -----------------------------------------------------
+
+  run-benchmarks-1-h100-dex:
+    name: benchmark_gpu_weekly/run-benchmarks-1-h100-dex
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: single-h100
+      hardware_name: n3-H100x1
+      command: hlapi_dex
+      bench_type: both
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  run-benchmarks-2-h100-dex:
+    name: benchmark_gpu_weekly/run-benchmarks-2-h100-dex
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: 2-h100
+      hardware_name: n3-H100x2
+      command: hlapi_dex
+      bench_type: both
+    secrets:
+      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
+      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+      JOB_SECRET: ${{ secrets.JOB_SECRET }}
+      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
+      SLAB_URL: ${{ secrets.SLAB_URL }}
+      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+
+  run-benchmarks-8-h100-dex:
+    name: benchmark_gpu_weekly/run-benchmarks-8-h100-dex
+    if: github.repository == 'zama-ai/tfhe-rs' &&
+      needs.prepare-inputs.outputs.is_weekly_bench_group_2 == 'true'
+    needs: prepare-inputs
+    uses: ./.github/workflows/benchmark_gpu_common.yml
+    with:
+      profile: multi-h100
+      hardware_name: n3-H100-SXM5x8
+      command: hlapi_dex
      bench_type: both
-      params_type: classical + multi_bit
    secrets:
      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
--- a/.github/workflows/benchmark_hpu.yml
+++ b/.github/workflows/benchmark_hpu.yml
@@ -12,9 +12,8 @@ on:
        default: integer
        options:
          - integer
-          - hlapi_unsigned
-          - hlapi_signed
-          - hlapi_erc7984
+          - hlapi
+          - hlapi_erc20
      op_flavor:
        description: "Operations set to run"
        type: choice
--- a/.github/workflows/benchmark_hpu_common.yml
+++ b/.github/workflows/benchmark_hpu_common.yml
@@ -95,7 +95,7 @@ jobs:
            ]:
              f.write(f"""{env_name}=["{'", "'.join(values_to_join)}"]\n""")

-      - name: Set matrix arguments outputs
+      - name: Set martix arguments outputs
        id: set_matrix_args
        run: | # zizmor: ignore[template-injection] these env variable are safe
          {
@@ -121,12 +121,12 @@ jobs:
    steps:
      # Needed as long as hw_regmap repository is private
      - name: Configure SSH
-        uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
+        uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

      - name: Checkout tfhe-rs repo with tags
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -185,13 +185,13 @@ jobs:
          BENCH_TYPE: ${{ matrix.bench_type }}

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
-          name: ${{ github.sha }}_${{ matrix.bench_type }}_${{ matrix.command }}_benchmarks
+          name: ${{ github.sha }}_${{ matrix.bench_type }}_integer_benchmarks
          path: ${{ env.RESULTS_FILENAME }}

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
--- a/.github/workflows/benchmark_perf_regression.yml
+++ b/.github/workflows/benchmark_perf_regression.yml
@@ -50,7 +50,7 @@ jobs:
      pull-requests: write # Needed to write a comment in a pull-request
    steps:
      - name: Checkout tfhe-rs repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
@@ -164,7 +164,7 @@ jobs:
            gcc: 11
    steps:
      - name: Checkout tfhe-rs repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
@@ -191,7 +191,7 @@ jobs:
        command: ${{ fromJson(needs.prepare-benchmarks.outputs.commands) }}
    steps:
      - name: Checkout tfhe-rs repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0  # Needed to get commit hash
          persist-credentials: 'false'
@@ -245,7 +245,7 @@ jobs:
          toolchain: nightly

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
@@ -280,7 +280,7 @@ jobs:
          BENCH_TYPE: ${{ env.__TFHE_RS_BENCH_TYPE }}

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_regression_${{ env.RESULTS_FILE_SHA }} # RESULT_FILE_SHA is needed to avoid collision between matrix.command runs
          path: ${{ env.RESULTS_FILENAME }}
@@ -305,24 +305,20 @@ jobs:
      REF_NAME: ${{ github.head_ref || github.ref_name }}
    steps:
      - name: Checkout tfhe-rs repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}

      - name: Install recent Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: '3.12'
-
-      - name: Install requirements
-        run: |
-          python3.12 -m venv venv
-          venv/bin/pip3 install -r ci/data_extractor/requirements.txt -r ci/perf_regression/requirements.txt
+          pip-install: -r ci/data_extractor/requirements.txt -r ci/perf_regression/requirements.txt

      - name: Fetch data
        run: |
-          venv/bin/python3 ci/data_extractor/src/data_extractor.py regression_data \
+          python3 ci/data_extractor/src/data_extractor.py regression_data \
          --generate-regression-json \
          --regression-profiles ci/regression.toml \
          --regression-selected-profile "${REGRESSION_PROFILE}" \
@@ -340,7 +336,7 @@ jobs:

      - name: Generate regression report
        run: |
-          venv/bin/python3 ci/perf_regression/perf_regression.py check_regression \
+          python3 ci/perf_regression/perf_regression.py check_regression \
          --results-file regression_data.json \
          --generate-report

--- a/.github/workflows/benchmark_summary.yml
+++ b/.github/workflows/benchmark_summary.yml
@@ -1,136 +0,0 @@
-# Run all benchmarks displayed in the internal documentation.
-name: benchmark_summary
-
-run-name: Benchmark Summary
-
-on:
-  workflow_dispatch:
-    inputs:
-      run-cpu-benchmarks:
-        description: "Run CPU benchmarks"
-        type: boolean
-        default: true
-      run-gpu-benchmarks:
-        description: "Run GPU benchmarks"
-        type: boolean
-        default: true
-      gpu-profile:
-        description: "GPU Instance type"
-        required: true
-        default: "multi-h100-sxm5 (n3-H100-SXM5x8)"
-        type: choice
-        options:
-          - "l40 (n3-L40x1)"
-          - "4-l40 (n3-L40x4)"
-          - "8-l40 (n3-L40x8)"
-          - "multi-a100-nvlink (n3-A100x8-NVLink)"
-          - "single-h100 (n3-H100x1)"
-          - "2-h100 (n3-H100x2)"
-          - "4-h100 (n3-H100x4)"
-          - "multi-h100 (n3-H100x8)"
-          - "multi-h100-nvlink (n3-H100x8-NVLink)"
-          - "multi-h100-sxm5 (n3-H100-SXM5x8)"
-      bench_type:
-        description: "Benchmarks type"
-        type: choice
-        default: both
-        options:
-          - latency
-          - throughput
-          - both
-      run-hpu-benchmarks:
-        description: "Run HPU benchmarks"
-        type: boolean
-        default: true
-
-
-permissions: {}
-
-# zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow
-
-jobs:
-  parse-gpu-inputs:
-    name: benchmark_summary/parse-gpu-inputs
-    if: inputs.run-gpu-benchmarks
-    runs-on: ubuntu-latest
-    outputs:
-      profile: ${{ steps.parse_profile.outputs.profile }}
-      hardware_name: ${{ steps.parse_hardware_name.outputs.name }}
-    env:
-      INPUTS_PROFILE: ${{ inputs.gpu-profile }}
-    steps:
-      - name: Parse profile
-        id: parse_profile
-        run: |
-          # Use Sed to extract a value from a string, this cannot be done with the ${variable//search/replace} pattern.
-          # shellcheck disable=SC2001
-          PROFILE=$(echo "${INPUTS_PROFILE}" | sed 's|\(.*\)[[:space:]](.*)|\1|')
-          echo "profile=${PROFILE}" >> "${GITHUB_OUTPUT}"
-
-      - name: Parse hardware name
-        id: parse_hardware_name
-        run: |
-          # Use Sed to extract a value from a string, this cannot be done with the ${variable//search/replace} pattern.
-          # shellcheck disable=SC2001
-          NAME=$(echo "${INPUTS_PROFILE}" | sed 's|.*[[:space:]](\(.*\))|\1|')
-          echo "name=${NAME}" >> "${GITHUB_OUTPUT}"
-
-  run-benchmarks-cpu:
-    name: benchmark_documentation/run-benchmarks-cpu-integer
-    uses: ./.github/workflows/benchmark_cpu_common.yml
-    if: inputs.run-cpu-benchmarks
-    with:
-      command: summary
-      bench_type: ${{ inputs.bench_type }}
-      params_type: classical + multi_bit
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      JOB_SECRET: ${{ secrets.JOB_SECRET }}
-      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-      SLAB_URL: ${{ secrets.SLAB_URL }}
-      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
-
-  run-benchmarks-gpu:
-    name: benchmark_documentation/run-benchmarks-gpu
-    uses: ./.github/workflows/benchmark_gpu_common.yml
-    if: inputs.run-gpu-benchmarks
-    needs: parse-gpu-inputs
-    with:
-      profile: ${{ needs.parse-gpu-inputs.outputs.profile }}
-      hardware_name: ${{ needs.parse-gpu-inputs.outputs.hardware_name }}
-      command: summary
-      bench_type: ${{ inputs.bench_type }}
-      params_type: classical + multi_bit
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      JOB_SECRET: ${{ secrets.JOB_SECRET }}
-      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-      SLAB_URL: ${{ secrets.SLAB_URL }}
-      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
-
-# TODO add make recipe for HPU benchmarks
-#  run-benchmarks-hpu:
-#    name: benchmark_documentation/run-benchmarks-hpu
-#    uses: ./.github/workflows/benchmark_hpu_common.yml
-#    if: inputs.run-hpu-benchmarks
-#    with:
-#      command: summary
-#      bench_type: ${{ inputs.bench_type }}
-#      v80_pcie_dev: 24
-#      v80_serial_number: XFL12NWY3ZKG
-#    secrets:
-#      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-#      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-#      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-#      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-#      JOB_SECRET: ${{ secrets.JOB_SECRET }}
-#      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-#      SLAB_URL: ${{ secrets.SLAB_URL }}
-#      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
-#      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
--- a/.github/workflows/benchmark_tfhe_fft.yml
+++ b/.github/workflows/benchmark_tfhe_fft.yml
@@ -31,9 +31,6 @@ permissions: {}
 jobs:
  setup-instance:
    name: benchmark_tfhe_fft/setup-instance
-    if:
-      (github.event_name != 'workflow_dispatch' && github.repository == 'zama-ai/tfhe-rs') ||
-      github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    outputs:
      runner-name: ${{ steps.start-instance.outputs.label }}
@@ -58,7 +55,7 @@ jobs:
    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs repo with tags
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -76,7 +73,7 @@ jobs:
          SHA: ${{ github.sha }}

      - name: Install rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
        with:
          toolchain: nightly
          override: true
@@ -99,13 +96,13 @@ jobs:
          REF_NAME: ${{ github.ref_name }}

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_fft
          path: ${{ env.RESULTS_FILENAME }}

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
--- a/.github/workflows/benchmark_tfhe_ntt.yml
+++ b/.github/workflows/benchmark_tfhe_ntt.yml
@@ -31,9 +31,6 @@ permissions: {}
 jobs:
  setup-instance:
    name: benchmark_tfhe_ntt/setup-instance
-    if:
-      (github.event_name != 'workflow_dispatch' && github.repository == 'zama-ai/tfhe-rs') ||
-      github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    outputs:
      runner-name: ${{ steps.start-instance.outputs.label }}
@@ -58,7 +55,7 @@ jobs:
    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs repo with tags
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -76,7 +73,7 @@ jobs:
          SHA: ${{ github.sha }}

      - name: Install rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
        with:
          toolchain: nightly
          override: true
@@ -99,13 +96,13 @@ jobs:
          REF_NAME: ${{ github.ref_name }}

      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_ntt
          path: ${{ env.RESULTS_FILENAME }}

      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: zama-ai/slab
          path: slab
--- a/.github/workflows/benchmark_wasm_client.yml
+++ b/.github/workflows/benchmark_wasm_client.yml
@@ -31,14 +31,15 @@ jobs:
    name: benchmark_wasm_client/should-run
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' ||
-      (github.event_name != 'workflow_dispatch' && github.repository == 'zama-ai/tfhe-rs')
+      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') ||
+      (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs')
    permissions:
      pull-requests: read  # Needed to check for file change
    outputs:
      wasm_bench: ${{ steps.changed-files.outputs.wasm_bench_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -46,7 +47,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            wasm_bench:
@@ -58,19 +59,171 @@ jobs:
              - tfhe/web_wasm_parallel_tests/**
              - .github/workflows/wasm_client_benchmark.yml

-  run-benchmarks-cpu-zk-client:
-    name: benchmark_documentation/run-benchmarks-cpu-zk-client
-    uses: ./.github/workflows/benchmark_wasm_client_common.yml
-    needs: should-run
+  setup-instance:
+    name: benchmark_wasm_client/setup-instance
    if: github.event_name == 'workflow_dispatch' ||
      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') ||
      (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs' && needs.should-run.outputs.wasm_bench)
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      JOB_SECRET: ${{ secrets.JOB_SECRET }}
-      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-      SLAB_URL: ${{ secrets.SLAB_URL }}
-      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
+    needs: should-run
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-instance.outputs.label }}
+    steps:
+      - name: Start instance
+        id: start-instance
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-small
+
+  wasm-client-benchmarks:
+    name: benchmark_wasm_client/wasm-client-benchmarks
+    needs: setup-instance
+    if: needs.setup-instance.result != 'skipped'
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
+    strategy:
+      max-parallel: 1
+      matrix:
+        browser: [ chrome, firefox ]
+    steps:
+      - name: Checkout tfhe-rs repo with tags
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          fetch-depth: 0
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+
+      - name: Get benchmark details
+        run: |
+          COMMIT_DATE=$(git --no-pager show -s --format=%cd --date=iso8601-strict "${SHA}");
+          {
+            echo "BENCH_DATE=$(date --iso-8601=seconds)";
+            echo "COMMIT_DATE=${COMMIT_DATE}";
+            echo "COMMIT_HASH=$(git describe --tags --dirty)";
+          } >> "${GITHUB_ENV}"
+        env:
+          SHA: ${{ github.sha }}
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
+        with:
+          toolchain: nightly
+
+      - name: Get Node version
+        run: |
+          echo "NODE_VERSION=$(make node_version)" >> "${GITHUB_ENV}"
+
+      - name: Node cache restoration
+        id: node-cache
+        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
+        with:
+          path: |
+            ~/.nvm
+            ~/.npm
+          key: node-${{ env.NODE_VERSION }}
+
+      - name: Install Node
+        if: steps.node-cache.outputs.cache-hit != 'true'
+        run: |
+          make install_node
+
+      - name: Node cache save
+        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
+        if: steps.node-cache.outputs.cache-hit != 'true'
+        with:
+          path: |
+            ~/.nvm
+            ~/.npm
+          key: node-${{ env.NODE_VERSION }}
+
+      - name: Install web resources
+        run: |
+          make install_"${BROWSER}"_browser
+          make install_"${BROWSER}"_web_driver
+        env:
+          BROWSER: ${{ matrix.browser }}
+
+      - name: Run benchmarks
+        run: |
+          make bench_web_js_api_parallel_"${BROWSER}"_ci
+        env:
+          BROWSER: ${{ matrix.browser }}
+
+      - name: Run benchmarks (unsafe coop)
+        run: |
+          make bench_web_js_api_unsafe_coop_"${BROWSER}"_ci
+        env:
+          BROWSER: ${{ matrix.browser }}
+
+      - name: Parse results
+        run: |
+          make parse_wasm_benchmarks
+          python3 ./ci/benchmark_parser.py tfhe-benchmark/wasm_pk_gen.csv "${RESULTS_FILENAME}" \
+          --database tfhe_rs \
+          --hardware "m6i.4xlarge" \
+          --project-version "${COMMIT_HASH}" \
+          --branch "${REF_NAME}" \
+          --commit-date "${COMMIT_DATE}" \
+          --bench-date "${BENCH_DATE}" \
+          --key-gen
+          rm tfhe-benchmark/wasm_pk_gen.csv
+        env:
+          REF_NAME: ${{ github.ref_name }}
+
+      - name: Upload parsed results artifact
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+        with:
+          name: ${{ github.sha }}_wasm_${{ matrix.browser }}
+          path: ${{ env.RESULTS_FILENAME }}
+
+      - name: Checkout Slab repo
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          repository: zama-ai/slab
+          path: slab
+          persist-credentials: 'false'
+          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
+
+      - name: Send data to Slab
+        shell: bash
+        run: |
+          python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${JOB_SECRET}" \
+          --slab-url "${SLAB_URL}"
+        env:
+          JOB_SECRET: ${{ secrets.JOB_SECRET }}
+          SLAB_URL: ${{ secrets.SLAB_URL }}
+
+      - name: Slack Notification
+        if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }}
+        continue-on-error: true
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "WASM benchmarks (${{ matrix.browser }}) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
+
+  teardown-instance:
+    name: benchmark_wasm_client/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, wasm-client-benchmarks ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop instance
+        id: stop-instance
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (wasm-client-benchmarks) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/benchmark_wasm_client_common.yml
+++ b/.github/workflows/benchmark_wasm_client_common.yml
@@ -1,234 +0,0 @@
-# Run WASM client benchmarks on an instance and return parsed results to Slab CI bot.
-name: benchmark_wasm_client_common
-
-on:
-  workflow_call:
-    inputs:
-      browser:
-        type: string # Use comma separated values to generate an array
-        default: chrome,firefox
-    secrets:
-      REPO_CHECKOUT_TOKEN:
-        required: true
-      SLAB_ACTION_TOKEN:
-        required: true
-      SLAB_BASE_URL:
-        required: true
-      SLAB_URL:
-        required: true
-      JOB_SECRET:
-        required: true
-      SLACK_CHANNEL:
-        required: true
-      BOT_USERNAME:
-        required: true
-      SLACK_WEBHOOK:
-        required: true
-
-env:
-  CARGO_TERM_COLOR: always
-  RESULTS_FILENAME: parsed_benchmark_results_${{ github.sha }}.json
-  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-  RUST_BACKTRACE: "full"
-  RUST_MIN_STACK: "8388608"
-  SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-  SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
-  SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
-  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-
-
-permissions: {}
-
-# zizmor: ignore[concurrency-limits] only Zama organization members and GitHub can trigger this workflow
-
-jobs:
-  prepare-matrix:
-    name: benchmark_wasm_client_common/prepare-matrix
-    runs-on: ubuntu-latest
-    outputs:
-      browser: ${{ steps.set_matrix_arg.outputs.browser }}
-    steps:
-      - name: Parse user inputs
-        shell: python
-        env:
-          INPUTS_BROWSER: ${{ inputs.browser }}
-        run: |
-          import os
-
-          inputs_browser = os.environ["INPUTS_BROWSER"]
-          env_file = os.environ["GITHUB_ENV"]
-
-          split_browser = inputs_browser.replace(" ", "").split(",")
-
-          with open(env_file, "a") as f:
-            f.write(f"""BROWSER=["{'", "'.join(split_browser)}"]\n""")
-
-      - name: Set matrix arguments output
-        id: set_matrix_arg
-        run: | # zizmor: ignore[template-injection] this env variable is safe
-          echo "browser=${{ toJSON(env.BROWSER) }}" >> "${GITHUB_OUTPUT}"
-
-  setup-instance:
-    name: benchmark_wasm_client_common/setup-instance
-    needs: prepare-matrix
-    runs-on: ubuntu-latest
-    outputs:
-      runner-name: ${{ steps.start-instance.outputs.label }}
-    steps:
-      - name: Start instance
-        id: start-instance
-        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
-        with:
-          mode: start
-          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
-          slab-url: ${{ secrets.SLAB_BASE_URL }}
-          job-secret: ${{ secrets.JOB_SECRET }}
-          backend: aws
-          profile: cpu-small
-
-  wasm-client-benchmarks:
-    name: benchmark_wasm_client_common/wasm-client-benchmarks
-    needs: [ prepare-matrix, setup-instance ]
-    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
-    strategy:
-      max-parallel: 1
-      matrix:
-        browser: ${{ fromJSON(needs.prepare-matrix.outputs.browser) }}
-    steps:
-      - name: Checkout tfhe-rs repo with tags
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-          persist-credentials: 'false'
-          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-
-      - name: Get benchmark details
-        run: |
-          COMMIT_DATE=$(git --no-pager show -s --format=%cd --date=iso8601-strict "${SHA}");
-          {
-            echo "BENCH_DATE=$(date --iso-8601=seconds)";
-            echo "COMMIT_DATE=${COMMIT_DATE}";
-            echo "COMMIT_HASH=$(git describe --tags --dirty)";
-          } >> "${GITHUB_ENV}"
-        env:
-          SHA: ${{ github.sha }}
-
-      - name: Install rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
-        with:
-          toolchain: nightly
-
-      - name: Get Node version
-        run: |
-          echo "NODE_VERSION=$(make node_version)" >> "${GITHUB_ENV}"
-
-      - name: Node cache restoration
-        id: node-cache
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
-        with:
-          path: |
-            ~/.nvm
-            ~/.npm
-          key: node-${{ env.NODE_VERSION }}
-
-      - name: Install Node
-        if: steps.node-cache.outputs.cache-hit != 'true'
-        run: |
-          make install_node
-
-      - name: Node cache save
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
-        if: steps.node-cache.outputs.cache-hit != 'true'
-        with:
-          path: |
-            ~/.nvm
-            ~/.npm
-          key: node-${{ env.NODE_VERSION }}
-
-      - name: Install web resources
-        run: |
-          make install_"${BROWSER}"_browser
-          make install_"${BROWSER}"_web_driver
-        env:
-          BROWSER: ${{ matrix.browser }}
-
-      - name: Run benchmarks
-        run: |
-          make bench_web_js_api_parallel_"${BROWSER}"_ci
-        env:
-          BROWSER: ${{ matrix.browser }}
-
-      - name: Run benchmarks (cross origin)
-        run: |
-          make bench_web_js_api_cross_origin_"${BROWSER}"_ci
-        env:
-          BROWSER: ${{ matrix.browser }}
-
-      - name: Parse results
-        run: |
-          make parse_wasm_benchmarks
-          python3 ./ci/benchmark_parser.py tfhe-benchmark/wasm_pk_gen.csv "${RESULTS_FILENAME}" \
-          --database tfhe_rs \
-          --hardware "m6i.4xlarge" \
-          --project-version "${COMMIT_HASH}" \
-          --branch "${REF_NAME}" \
-          --commit-date "${COMMIT_DATE}" \
-          --bench-date "${BENCH_DATE}" \
-          --key-gen
-          rm tfhe-benchmark/wasm_pk_gen.csv
-        env:
-          REF_NAME: ${{ github.ref_name }}
-
-      - name: Upload parsed results artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
-        with:
-          name: ${{ github.sha }}_wasm_${{ matrix.browser }}
-          path: ${{ env.RESULTS_FILENAME }}
-
-      - name: Checkout Slab repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          repository: zama-ai/slab
-          path: slab
-          persist-credentials: 'false'
-          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-
-      - name: Send data to Slab
-        shell: bash
-        run: |
-          python3 slab/scripts/data_sender.py "${RESULTS_FILENAME}" "${JOB_SECRET}" \
-          --slab-url "${SLAB_URL}"
-        env:
-          JOB_SECRET: ${{ secrets.JOB_SECRET }}
-          SLAB_URL: ${{ secrets.SLAB_URL }}
-
-      - name: Slack Notification
-        if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }}
-        continue-on-error: true
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
-        env:
-          SLACK_COLOR: ${{ job.status }}
-          SLACK_MESSAGE: "WASM benchmarks (${{ matrix.browser }}) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
-
-  teardown-instance:
-    name: benchmark_wasm_client_common/teardown-instance
-    if: ${{ always() && needs.setup-instance.result == 'success' }}
-    needs: [ setup-instance, wasm-client-benchmarks ]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Stop instance
-        id: stop-instance
-        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
-        with:
-          mode: stop
-          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
-          slab-url: ${{ secrets.SLAB_BASE_URL }}
-          job-secret: ${{ secrets.JOB_SECRET }}
-          label: ${{ needs.setup-instance.outputs.runner-name }}
-
-      - name: Slack Notification
-        if: ${{ failure() }}
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
-        env:
-          SLACK_COLOR: ${{ job.status }}
-          SLACK_MESSAGE: "Instance teardown (wasm-client-benchmarks) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/cargo_audit.yml
+++ b/.github/workflows/cargo_audit.yml
@@ -24,11 +24,9 @@ permissions: {}
 jobs:
  audit:
    name: cargo_audit/audit
-    if: github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs')
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/cargo_build.yml
+++ b/.github/workflows/cargo_build.yml
@@ -24,7 +24,7 @@ jobs:
    outputs:
      matrix_command: ${{ steps.set-pcc-commands-matrix.outputs.commands }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: "false"
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/cargo_build_common.yml
+++ b/.github/workflows/cargo_build_common.yml
@@ -57,7 +57,9 @@ env:
  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
  SLACKIFY_MARKDOWN: true
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_16"
  LINELINT_VERSION: 0.0.6
  LINELINT_CHECKSUM: "16b70fb7b471d6f95cbdc0b4e5dc2b0ac9e84ba9ecdc488f7bdf13df823aca4b"

@@ -67,10 +69,37 @@ permissions:
 # zizmor: ignore[concurrency-limits] caller workflow is responsible for the concurrency

 jobs:
-  prepare-matrix:
-    name: cargo_build_common/prepare-matrix
+  setup-instance:
+    name: cargo_build_common/setup-instance
    if: inputs.run-pcc-cpu-batch || inputs.run-pcc-hpu || inputs.run-build || inputs.run-build-layers || inputs.run-build-tfhe-full || inputs.run-build-c-api
    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+      run_attempt: ${{ github.run_attempt }} # On a re-run with a successful previous run for this job, the run_attempt will not be incremented
+    steps:
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-small
+
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
+
+  prepare-matrix:
+    name: cargo_build_common/prepare-matrix
+    runs-on: ubuntu-latest
+    needs: setup-instance
    outputs:
      runners: ${{ steps.set_matrix_runners.outputs.runners }}
    steps:
@@ -78,12 +107,12 @@ jobs:
        shell: python
        env:
          INPUTS_EXTRA_RUNNERS_TO_USE: ${{ inputs.extra-runners-to-use }}
-          REMOTE_RUNNER: "runs-on=${{ github.run_id }}/runner=cpu-small"
+          REMOTE_RUNNER_LABEL: ${{ needs.setup-instance.outputs.runner-name }}
        run: |
          import os
          
          inputs_extra_runners = os.environ["INPUTS_EXTRA_RUNNERS_TO_USE"]
-          remote_runner_label = os.environ["REMOTE_RUNNER"]
+          remote_runner_label = os.environ["REMOTE_RUNNER_LABEL"]
          env_file = os.environ["GITHUB_ENV"]
          
          runners = [remote_runner_label, ]
@@ -94,14 +123,14 @@ jobs:
          with open(env_file, "a") as f:
            f.write(f"""RUNNERS=["{'", "'.join(runners)}"]\n""")

-      - name: Set matrix runners outputs
+      - name: Set martix runners outputs
        id: set_matrix_runners
        run: | # zizmor: ignore[template-injection] these env variable are safe
          echo "runners=${{ toJSON(env.RUNNERS) }}" >> "${GITHUB_OUTPUT}"

  builds:
    name: cargo_build_common/builds
-    needs: prepare-matrix
+    needs: [ setup-instance, prepare-matrix ]
    runs-on: ${{ matrix.runner }}
    strategy:
      matrix:
@@ -111,7 +140,7 @@ jobs:
      result: ${{ steps.set_builds_result.outputs.result }}
    steps:
      - name: Checkout tfhe-rs repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -130,35 +159,6 @@ jobs:
          chmod +x linelint-linux-amd64
          ln -s "$(pwd)/linelint-linux-amd64" /usr/local/bin/linelint

-      - name: Get Node version
-        if: inputs.run-pcc-cpu-batch == 'pcc_batch_2'
-        run: |
-          echo "NODE_VERSION=$(make node_version)" >> "${GITHUB_ENV}"
-
-      - name: Node cache restoration
-        if: inputs.run-pcc-cpu-batch == 'pcc_batch_2'
-        id: node-cache
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
-        with:
-          path: |
-            ~/.nvm
-            ~/.npm
-          key: node-${{ env.NODE_VERSION }}
-
-      - name: Install Node
-        if: inputs.run-pcc-cpu-batch == 'pcc_batch_2'
-        run: |
-          make install_node
-
-      - name: Node cache save
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
-        if: inputs.run-pcc-cpu-batch == 'pcc_batch_2' && steps.node-cache.outputs.cache-hit != 'true'
-        with:
-          path: |
-            ~/.nvm
-            ~/.npm
-          key: node-${{ env.NODE_VERSION }}
-
      - name: Run pcc checks batch
        if: inputs.run-pcc-cpu-batch
        run: |
@@ -230,3 +230,29 @@ jobs:
        if: ${{ always() }}
        run: | # zizmor: ignore[template-injection] this context variable is safe
          echo "result=${{ job.status }}" >> "${GITHUB_OUTPUT}"
+
+  teardown-instance:
+    name: cargo_build_common/teardown-instance
+    if: ${{ always() &&
+      needs.setup-instance.result == 'success' &&
+      github.run_attempt == needs.setup-instance.outputs.run_attempt }} # Only run if setup-instance has been executed during this run attempt
+    needs: [setup-instance, builds]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (cargo-builds) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/cargo_build_tfhe_fft.yml
+++ b/.github/workflows/cargo_build_tfhe_fft.yml
@@ -26,13 +26,13 @@ jobs:
      fail-fast: false

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
        with:
          toolchain: stable
          override: true
--- a/.github/workflows/cargo_build_tfhe_ntt.yml
+++ b/.github/workflows/cargo_build_tfhe_ntt.yml
@@ -24,13 +24,13 @@ jobs:
        os: [ubuntu-latest, macos-latest, windows-latest]
      fail-fast: false
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
        with:
          toolchain: stable
          override: true
--- a/.github/workflows/cargo_test_fft.yml
+++ b/.github/workflows/cargo_test_fft.yml
@@ -2,7 +2,6 @@
 name: cargo_test_fft

 on:
-  workflow_dispatch:
  pull_request:
  push:
    branches:
@@ -23,8 +22,6 @@ permissions:
 jobs:
  should-run:
    name: cargo_test_fft/should-run
-    if: github.event_name != 'push' ||
-      (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs')
    runs-on: ubuntu-latest
    permissions:
      pull-requests: read  # Needed to check for file change
@@ -32,7 +29,7 @@ jobs:
      fft_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.fft_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -40,7 +37,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            fft:
@@ -59,13 +56,13 @@ jobs:
        runner_type: [ ubuntu-latest, macos-latest, windows-latest ]
      fail-fast: false
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
        with:
          toolchain: stable
          override: true
@@ -95,7 +92,7 @@ jobs:
    if: needs.should-run.outputs.fft_test == 'true'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/cargo_test_ntt.yml
+++ b/.github/workflows/cargo_test_ntt.yml
@@ -2,7 +2,6 @@
 name: cargo_test_ntt

 on:
-  workflow_dispatch:
  pull_request:
  push:
    branches:
@@ -25,8 +24,6 @@ permissions:
 jobs:
  should-run:
    name: cargo_test_ntt/should-run
-    if: github.event_name != 'push' ||
-      (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs')
    runs-on: ubuntu-latest
    permissions:
      pull-requests: read  # Needed to check for file change
@@ -34,7 +31,7 @@ jobs:
      ntt_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.ntt_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: "false"
@@ -42,7 +39,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            ntt:
@@ -90,13 +87,13 @@ jobs:
        os: ${{fromJson(needs.setup-instance.outputs.matrix_os)}}
      fail-fast: false
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: "false"
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
        with:
          toolchain: stable
          override: true
--- a/.github/workflows/check_commit.yml
+++ b/.github/workflows/check_commit.yml
@@ -18,7 +18,7 @@ jobs:
      - name: Check first line
        uses: gsactions/commit-message-checker@16fa2d5de096ae0d35626443bcd24f1e756cafee
        with:
-          pattern: '^((feat|fix|chore|refactor|style|test|docs|doc|perf)(\([\w\-_]+\))?\!?\:) .+$'
+          pattern: '^((feat|fix|chore|refactor|style|test|docs|doc)(\([\w\-_]+\))?\!?\:) .+$'
          flags: "gs"
          error: 'Your first line has to contain a commit type and scope like "feat(my_feature): msg".'
          excludeDescription: "true" # optional: this excludes the description body of a pull request
--- a/.github/workflows/ci_lint.yml
+++ b/.github/workflows/ci_lint.yml
@@ -20,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -43,14 +43,14 @@ jobs:
          echo "version=$(make zizmor_version)" >> "${GITHUB_OUTPUT}"

      - name: Check workflows security
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
        with:
          advanced-security: 'false' # Print results directly in logs
          persona: pedantic
          version: ${{ steps.get_zizmor.outputs.version }}

      - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ca46236c6ce584ae24bc6283ba8dcf4b3ec8a066 # v5.0.4
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6124774845927d14c601359ab8138699fa5b70c3 # v4.0.1
        with:
          allowlist: |
            slsa-framework/slsa-github-generator
--- a/.github/workflows/code_coverage.yml
+++ b/.github/workflows/code_coverage.yml
@@ -23,16 +23,34 @@ permissions:
 # zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow

 jobs:
+  setup-instance:
+    name: code_coverage/setup-instance
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-instance.outputs.label }}
+    steps:
+      - name: Start instance
+        id: start-instance
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-small
+
  code-coverage-tests:
    name: code_coverage/code-coverage-tests
+    needs: setup-instance
    concurrency:
      group: ${{ github.workflow_ref }}_${{ github.event_name }}
      cancel-in-progress: true
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-small"
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    timeout-minutes: 5760 # 4 days
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -44,7 +62,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            tfhe:
@@ -74,7 +92,7 @@ jobs:
          make test_shortint_cov

      - name: Upload tfhe coverage to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
        if: steps.changed-files.outputs.tfhe_any_changed == 'true'
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -88,7 +106,7 @@ jobs:
          make test_integer_cov

      - name: Upload tfhe coverage to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
        if: steps.changed-files.outputs.tfhe_any_changed == 'true'
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -103,3 +121,26 @@ jobs:
        env:
          SLACK_COLOR: ${{ job.status }}
          SLACK_MESSAGE: "Code coverage finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
+
+  teardown-instance:
+    name: code_coverage/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, code-coverage-tests ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop instance
+        id: stop-instance
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (code-coverage-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/csprng_randomness_tests.yml
+++ b/.github/workflows/csprng_randomness_tests.yml
@@ -10,10 +10,10 @@ env:
  SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
  SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-  SLACKIFY_MARKDOWN: true
-  PULL_REQUEST_MD_LINK: ""
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_16"

 on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
@@ -27,47 +27,42 @@ permissions:
 # zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning

 jobs:
-  should-run:
-    name: csprng_randomness_tests/should-run
-    if: github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'approved')
+  setup-instance:
+    name: csprng_randomness_tests/setup-instance
+    if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.label.name, 'approved') }}
    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read  # Needed to check for file change
    outputs:
-      csprng_test: ${{ github.event_name == 'workflow_dispatch' ||
-        steps.changed-files.outputs.csprng_any_changed }}
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
        with:
-          fetch-depth: 0
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-small

-      - name: Check for file changes
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files_yaml: |
-            csprng:
-              - Cargo.toml
-              - tfhe/Cargo.toml
-              - tfhe-csprng/**
-              - utils/tfhe-versionable/**
-              - .github/workflows/csprng_randomness_tests.yml
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"

  csprng-randomness-tests:
    name: csprng_randomness_tests/csprng-randomness-tests
-    needs: should-run
-    if: github.event_name == 'workflow_dispatch' ||
-      (contains(github.event.label.name, 'approved') && needs.should-run.outputs.csprng_test == 'true')
+    needs: setup-instance
    concurrency:
      group: ${{ github.workflow_ref }}_${{ github.sha }}_${{ github.event_name }}
      cancel-in-progress: true
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-small"
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -81,18 +76,34 @@ jobs:
        run: |
          make dieharder_csprng

-      - name: Set pull-request URL
-        if: ${{ failure() && github.event_name == 'pull_request' }}
-        run: |
-          echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${PR_NUMBER}), "  >> "${GITHUB_ENV}"
-        env:
-          PR_BASE_URL: ${{ vars.PR_BASE_URL }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-
      - name: Slack Notification
        if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }}
        continue-on-error: true
        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
        env:
          SLACK_COLOR: ${{ job.status }}
-          SLACK_MESSAGE: "tfhe-csprng randomness check finished with status: ${{ job.status }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
+          SLACK_MESSAGE: "tfhe-csprng randomness check finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
+
+  teardown-instance:
+    name: csprng_randomness_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, csprng-randomness-tests ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (csprng-randomness-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/generate_svg_common.yml
+++ b/.github/workflows/generate_svg_common.yml
@@ -9,9 +9,6 @@ on:
        type: string
      layer:
        type: string
-      bench_subset:
-        type: string
-        default: all
      pbs_kind: # Valid values are 'classical', 'multi_bit' or 'any'
        type: string
      grouping_factor: # Valid values are 2, 3, or 4
@@ -19,9 +16,6 @@ on:
        default: 4
      bench_type: # Valid values are 'latency', 'throughput'
        type: string
-      name_suffix:
-        type: string
-        default: _mean_avx512
      backend_comparison:
        type: boolean
        default: false
@@ -49,7 +43,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'

@@ -66,8 +60,6 @@ jobs:
          --pbs-kind "${PBS_KIND}" \
          --grouping-factor "${GROUPING_FACTOR}" \
          --bench-type "${BENCH_TYPE}" \
-          --bench-subset "${BENCH_SUBSET}" \
-          --name-suffix "${NAME_SUFFIX}" \
          --time-span-days "${TIME_SPAN}"
        env:
          OUTPUT_FILENAME: ${{ inputs.output_filename }}
@@ -78,8 +70,6 @@ jobs:
          PBS_KIND: ${{ inputs.pbs_kind }}
          GROUPING_FACTOR: ${{ inputs.grouping_factor }}
          BENCH_TYPE: ${{ inputs.bench_type }}
-          BENCH_SUBSET: ${{ inputs.bench_subset }}
-          NAME_SUFFIX: ${{ inputs.name_suffix }}
          TIME_SPAN: ${{ inputs.time_span_days }}
          DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
          DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
@@ -87,9 +77,9 @@ jobs:

      - name: Upload tables
        if: inputs.backend_comparison == false
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
-          name: ${{ github.sha }}_${{ inputs.backend }}_${{ inputs.layer }}_subset_${{inputs.bench_subset}}_${{ inputs.pbs_kind }}_${{ inputs.bench_type }}_tables
+          name: ${{ github.sha }}_${{ inputs.backend }}_${{ inputs.layer }}_${{ inputs.pbs_kind }}_${{ inputs.bench_type }}_tables
          # This will upload all the file generated
          path: ${{ inputs.output_filename }}*.svg
          retention-days: 60
@@ -111,7 +101,7 @@ jobs:

      - name: Upload comparison tables
        if: inputs.backend_comparison == true
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: ${{ github.sha }}_backends_comparison_tables
          # This will upload all the file generated
--- a/.github/workflows/generate_svgs.yml
+++ b/.github/workflows/generate_svgs.yml
@@ -51,7 +51,7 @@ jobs:
      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}

  cpu-integer-throughput-table:
-    name: generate_documentation_svgs/cpu-integer-throughput-table
+    name: generate_documentation_svgs/cpu-integer-latency-table
    uses: ./.github/workflows/generate_svg_common.yml
    if: inputs.generate-cpu-svgs
    with:
@@ -150,162 +150,6 @@ jobs:
      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}

-  # -----------------------------------------------------------
-  # ZK benchmarks tables
-  # -----------------------------------------------------------
-
-  cpu-zk-server-latency-table:
-    name: generate_documentation_svgs/cpu-zk-server-latency-table
-    uses: ./.github/workflows/generate_svg_common.yml
-    if: inputs.generate-cpu-svgs
-    with:
-      backend: cpu
-      hardware_name: hpc7a.96xlarge
-      layer: integer
-      bench_subset: zk
-      pbs_kind: classical
-      bench_type: latency
-      time_span_days: ${{ inputs.time_span_days }}
-      output_filename: cpu-zk-benchmark-latency
-    secrets:
-      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
-      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
-      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
-
-  cpu-zk-server-throughput-table:
-    name: generate_documentation_svgs/cpu-zk-server-throughput-table
-    uses: ./.github/workflows/generate_svg_common.yml
-    if: inputs.generate-cpu-svgs
-    with:
-      backend: cpu
-      hardware_name: hpc7a.96xlarge
-      layer: integer
-      bench_subset: zk
-      pbs_kind: classical
-      bench_type: throughput
-      time_span_days: ${{ inputs.time_span_days }}
-      output_filename: cpu-zk-benchmark-throughput
-    secrets:
-      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
-      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
-      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
-
-  cpu-zk-client-latency-table:
-    name: generate_documentation_svgs/cpu-zk-client-latency-table
-    uses: ./.github/workflows/generate_svg_common.yml
-    if: inputs.generate-cpu-svgs
-    with:
-      backend: cpu
-      hardware_name: m6i.4xlarge
-      layer: wasm
-      bench_subset: zk
-      pbs_kind: classical
-      bench_type: latency
-      name_suffix: _chrome_mean
-      time_span_days: ${{ inputs.time_span_days }}
-      output_filename: cpu-zk-wasm-benchmark-latency
-    secrets:
-      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
-      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
-      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
-
-  gpu-zk-server-latency-table:
-    name: generate_documentation_svgs/gpu-zk-server-latency-table
-    uses: ./.github/workflows/generate_svg_common.yml
-    if: inputs.generate-gpu-svgs
-    with:
-      backend: gpu
-      hardware_name: n3-H100-SXM5x8
-      layer: integer
-      bench_subset: zk
-      pbs_kind: multi_bit
-      grouping_factor: 4
-      bench_type: latency
-      time_span_days: ${{ inputs.time_span_days }}
-      output_filename: gpu-zk-benchmark-latency
-    secrets:
-      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
-      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
-      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
-
-  gpu-zk-server-throughput-table:
-    name: generate_documentation_svgs/gpu-zk-server-throughput-table
-    uses: ./.github/workflows/generate_svg_common.yml
-    if: inputs.generate-gpu-svgs
-    with:
-      backend: gpu
-      hardware_name: n3-H100-SXM5x8
-      layer: integer
-      bench_subset: zk
-      pbs_kind: multi_bit
-      grouping_factor: 4
-      bench_type: throughput
-      time_span_days: ${{ inputs.time_span_days }}
-      output_filename: gpu-zk-benchmark-throughput
-    secrets:
-      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
-      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
-      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
-
-  # -----------------------------------------------------------
-  # ERC7984 benchmarks tables
-  # -----------------------------------------------------------
-
-  cpu-erc7984-latency-throughput-table:
-    name: generate_documentation_svgs/cpu-erc7984-latency-throughput-table
-    uses: ./.github/workflows/generate_svg_common.yml
-    if: inputs.generate-cpu-svgs
-    with:
-      backend: cpu
-      hardware_name: hpc7a.96xlarge
-      layer: hlapi
-      bench_subset: erc7984
-      pbs_kind: classical
-      bench_type: both
-      time_span_days: ${{ inputs.time_span_days }}
-      output_filename: cpu-hlapi-erc7984-benchmark-latency-throughput
-    secrets:
-      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
-      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
-      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
-
-  gpu-erc7984-latency-throughput-table:
-    name: generate_documentation_svgs/gpu-erc7984-latency-throughput-table
-    uses: ./.github/workflows/generate_svg_common.yml
-    if: inputs.generate-gpu-svgs
-    with:
-      backend: gpu
-      hardware_name: n3-H100-SXM5x8
-      layer: hlapi
-      bench_subset: erc7984
-      pbs_kind: multi_bit
-      grouping_factor: 4
-      bench_type: both
-      time_span_days: ${{ inputs.time_span_days }}
-      output_filename: gpu-hlapi-erc7984-benchmark-h100x8-sxm5-latency-throughput
-    secrets:
-      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
-      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
-      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
-
-  hpu-erc7984-latency-throughput-table:
-    name: generate_documentation_svgs/hpu-erc7984-latency-throughput-table
-    uses: ./.github/workflows/generate_svg_common.yml
-    if: inputs.generate-hpu-svgs
-    with:
-      backend: hpu
-      hardware_name: hpu_x1
-      layer: hlapi
-      bench_subset: erc7984
-      pbs_kind: classical
-      bench_type: both
-      time_span_days: ${{ inputs.time_span_days }}
-      output_filename: hpu-hlapi-erc7984-benchmark-hpux1-latency-throughput.svg
-    secrets:
-      DATA_EXTRACTOR_DATABASE_USER: ${{ secrets.DATA_EXTRACTOR_DATABASE_USER }}
-      DATA_EXTRACTOR_DATABASE_HOST: ${{ secrets.DATA_EXTRACTOR_DATABASE_HOST }}
-      DATA_EXTRACTOR_DATABASE_PASSWORD: ${{ secrets.DATA_EXTRACTOR_DATABASE_PASSWORD }}
-
  # -----------------------------------------------------------
  # PBS benchmarks tables
  # -----------------------------------------------------------
--- a/.github/workflows/gpu_4090_tests.yml
+++ b/.github/workflows/gpu_4090_tests.yml
@@ -19,8 +19,8 @@ on:
  pull_request:
    types: [ labeled ]
  schedule:
-   # Every other day at 1AM
-   - cron: "0 1 */2 * *"
+    # Nightly tests @ 1AM after each work day
+    - cron: "0 1 * * MON-FRI"

 permissions:
  contents: read
@@ -37,11 +37,11 @@ jobs:
      group: ${{ github.workflow_ref }}
      cancel-in-progress: true
    runs-on: ["self-hosted", "4090-desktop"]
-    timeout-minutes: 2880 # 48 hours
+    timeout-minutes: 1440 # 24 hours

    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/gpu_code_validation_tests.yml
+++ b/.github/workflows/gpu_code_validation_tests.yml
@@ -23,8 +23,8 @@ on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
  workflow_dispatch:
  schedule:
-    # every friday noon
-    - cron: "0 12 * * 5"
+    # every month
+    - cron: "0 0 1 * *"

 permissions:
  contents: read
@@ -35,8 +35,8 @@ jobs:
  setup-instance:
    name: gpu_code_validation_tests/setup-instance
    runs-on: ubuntu-latest
-    if: github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs')
+    if: github.event_name != 'pull_request' ||
+      (github.event.action == 'labeled' && github.event.label.name == 'approved')
    outputs:
      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
    steps:
@@ -79,7 +79,7 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -93,15 +93,7 @@ jobs:

      - name: Find tools
        run: |
-          # Disable unattended-upgrades to avoid lock issues
-          sudo systemctl mask --now unattended-upgrades
-          sudo systemctl stop --now unattended-upgrades
-
-          sudo apt-get clean
-          sudo rm -rf /var/lib/apt/lists/*
-          sudo apt purge -y unattended-upgrades
-
-          sudo apt update && sudo apt install -y valgrind
+          sudo apt update && sudo apt install -y valgrind 
          find /usr -executable -name "compute-sanitizer"
          which valgrind

@@ -114,10 +106,6 @@ jobs:
        run: |
          make test_high_level_api_gpu_valgrind

-      - name: Run CUDA backend racecheck tests
-        run: |
-          make test_cuda_backend_race_check
-
  slack-notify:
    name: gpu_code_validation_tests/slack-notify
    needs: [ setup-instance, cuda-tests-linux ]
--- a/.github/workflows/gpu_core_h100_tests.yml
+++ b/.github/workflows/gpu_core_h100_tests.yml
@@ -1,187 +0,0 @@
-# Compile and test tfhe-cuda-backend on an H100 VM on hyperstack
-name: gpu_core_h100_tests
-
-env:
-  CARGO_TERM_COLOR: always
-  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-  RUSTFLAGS: "-C target-cpu=native"
-  RUST_BACKTRACE: "full"
-  RUST_MIN_STACK: "8388608"
-  SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-  SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
-  SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
-  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-  SLACKIFY_MARKDOWN: true
-  IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
-  PULL_REQUEST_MD_LINK: ""
-  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-  # Secrets will be available only to zama-ai organization members
-  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
-  EXTERNAL_CONTRIBUTION_RUNNER: "gpu_ubuntu-22.04"
-
-on:
-  # Allows you to run this workflow manually from the Actions tab as an alternative.
-  workflow_dispatch:
-  pull_request:
-    types: [ labeled, opened, synchronize ]
-
-permissions:
-  contents: read
-
-# zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning
-
-jobs:
-  should-run:
-    name: gpu_core_h100_tests/should-run
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read  # Needed to check for file change
-    outputs:
-      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
-      core_crypto_changed: ${{ steps.changed-files.outputs.core_crypto_any_changed }}
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
-
-      - name: Check for file changes
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files_yaml: |
-            gpu:
-              - tfhe/Cargo.toml
-              - tfhe/build.rs
-              - backends/tfhe-cuda-backend/**
-              - tfhe/src/core_crypto/gpu/**
-              - tfhe/src/integer/gpu/**
-              - tfhe/src/integer/server_key/radix_parallel/tests_unsigned/**
-              - tfhe/src/integer/server_key/radix_parallel/tests_signed/**
-              - tfhe/src/integer/server_key/radix_parallel/tests_cases_unsigned.rs
-              - tfhe/src/shortint/parameters/**
-              - tfhe/src/c_api/**
-              - '.github/workflows/gpu_core_h100_tests.yml'
-            core_crypto:
-              - tfhe/src/core_crypto/gpu/**
-
-  setup-instance:
-    name: gpu_core_h100_tests/setup-instance
-    needs: should-run
-    if: github.event_name != 'pull_request' ||
-      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') ||
-      (github.event.action != 'labeled' && needs.should-run.outputs.core_crypto_changed == 'true')
-    runs-on: ubuntu-latest
-    outputs:
-      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
-    steps:
-      - name: Start remote instance
-        id: start-remote-instance
-        if: env.SECRETS_AVAILABLE == 'true'
-        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
-        with:
-          mode: start
-          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
-          slab-url: ${{ secrets.SLAB_BASE_URL }}
-          job-secret: ${{ secrets.JOB_SECRET }}
-          backend: hyperstack
-          profile: single-h100
-
-      # This instance will be spawned especially for pull-request from forked repository
-      - name: Start GitHub instance
-        id: start-github-instance
-        if: env.SECRETS_AVAILABLE == 'false'
-        run: |
-          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
-
-  cuda-tests-linux:
-    name: gpu_core_h100_tests/cuda-tests-linux
-    needs: [ should-run, setup-instance ]
-    if: github.event_name != 'pull_request' ||
-      (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped')
-    concurrency:
-      group: ${{ github.workflow_ref }}
-      cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
-    strategy:
-      fail-fast: false
-      # explicit include-based build matrix, of known valid options
-      matrix:
-        include:
-          - os: ubuntu-22.04
-            cuda: "12.8"
-            gcc: 11 
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
-
-      - name: Setup Hyperstack dependencies
-        uses: ./.github/actions/gpu_setup
-        with:
-          cuda-version: ${{ matrix.cuda }}
-          gcc-version: ${{ matrix.gcc }}
-          github-instance: ${{ env.SECRETS_AVAILABLE == 'false' }}
-
-      - name: Install latest stable
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
-        with:
-          toolchain: stable
-      - name: Enable nvidia multi-process service
-        run: |
-          nvidia-cuda-mps-control -d
-      - name: Run core crypto and internal CUDA backend tests
-        run: |
-          BIG_TESTS_INSTANCE=TRUE make test_core_crypto_gpu
-          BIG_TESTS_INSTANCE=TRUE make test_integer_compression_gpu
-          BIG_TESTS_INSTANCE=TRUE make test_cuda_backend
-
-  slack-notify:
-    name: gpu_core_h100_tests/slack-notify
-    needs: [ setup-instance, cuda-tests-linux ]
-    runs-on: ubuntu-latest
-    if: ${{ always() && needs.cuda-tests-linux.result != 'skipped' && failure() }}
-    continue-on-error: true
-    steps:
-      - name: Set pull-request URL
-        if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request'
-        run: |
-          echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${PR_NUMBER}), "  >> "${GITHUB_ENV}"
-        env:
-          PR_BASE_URL: ${{ vars.PR_BASE_URL }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-
-      - name: Send message
-        if: env.SECRETS_AVAILABLE == 'true'
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
-        env:
-          SLACK_COLOR: ${{ needs.cuda-tests-linux.result }}
-          SLACK_MESSAGE: "Core H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
-
-  teardown-instance:
-    name: gpu_core_h100_tests/teardown-instance
-    if: ${{ always() && needs.setup-instance.result == 'success' }}
-    needs: [ setup-instance, cuda-tests-linux ]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Stop remote instance
-        id: stop-instance
-        if: env.SECRETS_AVAILABLE == 'true'
-        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
-        with:
-          mode: stop
-          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
-          slab-url: ${{ secrets.SLAB_BASE_URL }}
-          job-secret: ${{ secrets.JOB_SECRET }}
-          label: ${{ needs.setup-instance.outputs.runner-name }}
-
-      - name: Slack Notification
-        if: ${{ failure() }}
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
-        env:
-          SLACK_COLOR: ${{ job.status }}
-          SLACK_MESSAGE: "Instance teardown (cuda-h100-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/gpu_hlapi_h100_tests.yml
+++ b/.github/workflows/gpu_hlapi_h100_tests.yml
@@ -1,5 +1,5 @@
 # Compile and test tfhe-cuda-backend on an H100 VM on hyperstack
-name: gpu_hlapi_h100_tests
+name: gpu_fast_h100_tests

 env:
  CARGO_TERM_COLOR: always
@@ -23,7 +23,7 @@ on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
  workflow_dispatch:
  pull_request:
-    types: [ labeled, opened, synchronize ]
+    types: [ labeled ]

 permissions:
  contents: read
@@ -32,16 +32,15 @@ permissions:

 jobs:
  should-run:
-    name: gpu_hlapi_h100_tests/should-run
+    name: gpu_fast_h100_tests/should-run
    runs-on: ubuntu-latest
    permissions:
      pull-requests: read  # Needed to check for file change
    outputs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
-      core_crypto_changed: ${{ steps.changed-files.outputs.core_crypto_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -49,7 +48,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -65,23 +64,29 @@ jobs:
              - tfhe/src/high_level_api/**
              - tfhe/src/c_api/**
              - 'tfhe/docs/**/**.md'
-              - '.github/workflows/gpu_hlapi_h100_tests.yml'
-            core_crypto:
-              - tfhe/src/core_crypto/gpu/**
+              - '.github/workflows/gpu_fast_h100_tests.yml'
+              - scripts/integer-tests.sh
+              - ci/slab.toml

  setup-instance:
-    name: gpu_hlapi_h100_tests/setup-instance
+    name: gpu_fast_h100_tests/setup-instance
    needs: should-run
    if: github.event_name != 'pull_request' ||
-      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') ||
-      (github.event.action != 'labeled' && needs.should-run.outputs.core_crypto_changed == 'true')
+      (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') ||
+      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true')
    runs-on: ubuntu-latest
    outputs:
-      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+      # Use permanent remote instance label first as on-demand remote instance label output is set before the end of start-remote-instance step.
+      # If the latter fails due to a failed GitHub action runner set up, we have to fallback on the permanent instance.
+      # Since the on-demand remote label is set before failure, we have to do the logical OR in this order,
+      # otherwise we'll try to run the next job on a non-existing on-demand instance.
+      runner-name: ${{ steps.use-permanent-instance.outputs.runner_group || steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+      remote-instance-outcome: ${{ steps.start-remote-instance.outcome }}
    steps:
      - name: Start remote instance
        id: start-remote-instance
        if: env.SECRETS_AVAILABLE == 'true'
+        continue-on-error: true
        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
        with:
          mode: start
@@ -91,6 +96,13 @@ jobs:
          backend: hyperstack
          profile: single-h100

+      # This will allow to fallback on permanent instances running on Hyperstack.
+      - name: Use permanent remote instance
+        id: use-permanent-instance
+        if: env.SECRETS_AVAILABLE == 'true' && steps.start-remote-instance.outcome == 'failure'
+        run: |
+          echo "runner_group=h100x1" >> "$GITHUB_OUTPUT"
+
      # This instance will be spawned especially for pull-request from forked repository
      - name: Start GitHub instance
        id: start-github-instance
@@ -99,7 +111,7 @@ jobs:
          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"

  cuda-tests-linux:
-    name: gpu_hlapi_h100_tests/cuda-tests-linux
+    name: gpu_fast_h100_tests/cuda-tests-linux
    needs: [ should-run, setup-instance ]
    if: github.event_name != 'pull_request' ||
      (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped')
@@ -117,12 +129,13 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Setup Hyperstack dependencies
+        if: needs.setup-instance.outputs.remote-instance-outcome == 'success'
        uses: ./.github/actions/gpu_setup
        with:
          cuda-version: ${{ matrix.cuda }}
@@ -136,7 +149,12 @@ jobs:
      - name: Enable nvidia multi-process service
        run: |
          nvidia-cuda-mps-control -d
-      
+      - name: Run core crypto and internal CUDA backend tests
+        run: |
+          BIG_TESTS_INSTANCE=TRUE make test_core_crypto_gpu
+          BIG_TESTS_INSTANCE=TRUE make test_integer_compression_gpu
+          BIG_TESTS_INSTANCE=TRUE make test_cuda_backend
+
      - name: Run user docs tests
        run: |
          BIG_TESTS_INSTANCE=TRUE make test_user_doc_gpu
@@ -150,7 +168,7 @@ jobs:
          BIG_TESTS_INSTANCE=TRUE make test_high_level_api_gpu

  slack-notify:
-    name: gpu_hlapi_h100_tests/slack-notify
+    name: gpu_fast_h100_tests/slack-notify
    needs: [ setup-instance, cuda-tests-linux ]
    runs-on: ubuntu-latest
    if: ${{ always() && needs.cuda-tests-linux.result != 'skipped' && failure() }}
@@ -169,11 +187,11 @@ jobs:
        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
        env:
          SLACK_COLOR: ${{ needs.cuda-tests-linux.result }}
-          SLACK_MESSAGE: "HL API H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
+          SLACK_MESSAGE: "Fast H100 tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"

  teardown-instance:
-    name: gpu_hlapi_h100_tests/teardown-instance
-    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    name: gpu_fast_h100_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.outputs.remote-instance-outcome == 'success' }}
    needs: [ setup-instance, cuda-tests-linux ]
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/gpu_fast_tests.yml
+++ b/.github/workflows/gpu_fast_tests.yml
@@ -39,7 +39,7 @@ jobs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -47,7 +47,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -64,6 +64,8 @@ jobs:
              - tfhe/src/c_api/**
              - 'tfhe/docs/**/**.md'
              - '.github/workflows/gpu_fast_tests.yml'
+              - scripts/integer-tests.sh
+              - ci/slab.toml

  setup-instance:
    name: gpu_fast_tests/setup-instance
@@ -112,7 +114,7 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -149,7 +151,7 @@ jobs:

      - name: Run High Level API Tests
        run: |
-          make test_high_level_api_gpu_fast
+          make test_high_level_api_gpu

  slack-notify:
    name: gpu_fast_tests/slack-notify
--- a/.github/workflows/gpu_full_h100_tests.yml
+++ b/.github/workflows/gpu_full_h100_tests.yml
@@ -25,10 +25,16 @@ jobs:
    name: gpu_full_h100_tests/setup-instance
    runs-on: ubuntu-latest
    outputs:
-      runner-name: ${{ steps.start-instance.outputs.label }}
+      # Use permanent remote instance label first as on-demand remote instance label output is set before the end of start-remote-instance step.
+      # If the latter fails due to a failed GitHub action runner set up, we have to fallback on the permanent instance.
+      # Since the on-demand remote label is set before failure, we have to do the logical OR in this order,
+      # otherwise we'll try to run the next job on a non-existing on-demand instance.
+      runner-name: ${{ steps.use-permanent-instance.outputs.runner_group || steps.start-remote-instance.outputs.label }}
+      remote-instance-outcome: ${{ steps.start-remote-instance.outcome }}
    steps:
-      - name: Start instance
-        id: start-instance
+      - name: Start remote instance
+        id: start-remote-instance
+        continue-on-error: true
        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
        with:
          mode: start
@@ -38,6 +44,13 @@ jobs:
          backend: hyperstack
          profile: single-h100

+      # This will allow to fallback on permanent instances running on Hyperstack.
+      - name: Use permanent remote instance
+        id: use-permanent-instance
+        if: env.SECRETS_AVAILABLE == 'true' && steps.start-remote-instance.outcome == 'failure'
+        run: |
+          echo "runner_group=h100x1" >> "$GITHUB_OUTPUT"
+
  cuda-tests-linux:
    name: gpu_full_h100_tests/cuda-tests-linux
    needs: [ setup-instance ]
@@ -55,12 +68,13 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}

      - name: Setup Hyperstack dependencies
+        if: needs.setup-instance.outputs.remote-instance-outcome == 'success'
        uses: ./.github/actions/gpu_setup
        with:
          cuda-version: ${{ matrix.cuda }}
@@ -104,7 +118,7 @@ jobs:

  teardown-instance:
    name: gpu_full_h100_tests/teardown-instance
-    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    if: ${{ always() && needs.setup-instance.outputs.remote-instance-outcome == 'success' }}
    needs: [ setup-instance, cuda-tests-linux ]
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/gpu_full_multi_gpu_tests.yml
+++ b/.github/workflows/gpu_full_multi_gpu_tests.yml
@@ -40,7 +40,7 @@ jobs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -48,7 +48,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -66,6 +66,7 @@ jobs:
              - 'tfhe/docs/**/**.md'
              - '.github/workflows/**_multi_gpu_tests.yml'
              - scripts/integer-tests.sh
+              - ci/slab.toml

  setup-instance:
    name: gpu_full_multi_gpu_tests/setup-instance
@@ -115,7 +116,7 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
@@ -153,7 +154,7 @@ jobs:

      - name: Run High Level API Tests
        run: |
-          make test_high_level_api_gpu_fast
+          make test_high_level_api_gpu

  slack-notify:
    name: gpu_full_multi_gpu_tests/slack-notify
--- a/.github/workflows/gpu_integer_long_run_tests.yml
+++ b/.github/workflows/gpu_integer_long_run_tests.yml
@@ -17,8 +17,8 @@ on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
  workflow_dispatch:
  schedule:
-    # Weekly tests will be triggered every Monday at 8p.m.
-    - cron: "0 20 * * 1"
+    # Nightly tests will be triggered each evening 8p.m.
+    - cron: "0 20 * * *"
  pull_request:


@@ -28,41 +28,10 @@ permissions:
 # zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning

 jobs:
-  should-run:
-    name: gpu_integer_long_run_tests/should-run
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read  # Needed to check for file change
-    outputs:
-      is_needed_in_gpu_ci: ${{ env.IS_PR == 'false' || steps.changed-files.outputs.gpu_any_changed }}
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
-
-      - name: Check for file changes
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files_yaml: |
-            gpu:
-              - tfhe/Cargo.toml
-              - tfhe/build.rs
-              - backends/tfhe-cuda-backend/**
-              - tfhe/src/core_crypto/gpu/**
-              - tfhe/src/integer/gpu/**
-              - tfhe/src/shortint/parameters/**
-              - '.github/workflows/gpu_integer_long_run_tests.yml'
-
  setup-instance:
    name: gpu_integer_long_run_tests/setup-instance
-    needs: [should-run]
-    if: github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs') ||
-      needs.should-run.outputs.is_needed_in_gpu_ci == 'true'
+    if: github.event_name != 'schedule' ||
+      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs')
    runs-on: ubuntu-latest
    outputs:
      runner-name: ${{ steps.start-instance.outputs.label }}
@@ -96,7 +65,7 @@ jobs:
    timeout-minutes: 4320 # 72 hours
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/gpu_memory_sanitizer.yml
+++ b/.github/workflows/gpu_memory_sanitizer.yml
@@ -31,43 +31,11 @@ permissions:
 # zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning

 jobs:
-  should-run:
-    name: gpu_memory_sanitizer/should-run
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read  # Needed to check for file change
-    outputs:
-      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
-
-      - name: Check for file changes
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files_yaml: |
-            gpu:
-              - Cargo.toml
-              - tfhe/Cargo.toml
-              - tfhe/build.rs
-              - backends/tfhe-cuda-backend/**
-              - tfhe/src/core_crypto/gpu/**
-              - tfhe/src/integer/gpu/**
-              - tfhe/src/shortint/parameters/**
-              - tfhe/src/high_level_api/**
-              - '.github/workflows/gpu_memory_sanitizer.yml'
-
  setup-instance:
    name: gpu_memory_sanitizer/setup-instance
-    needs: should-run
    runs-on: ubuntu-latest
-    if: github.event_name == 'workflow_dispatch' ||
-      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true')
+    if: github.event_name != 'pull_request' ||
+      (github.event.action == 'labeled' && github.event.label.name == 'approved')
    outputs:
      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
    steps:
@@ -110,7 +78,7 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/gpu_memory_sanitizer_h100.yml
+++ b/.github/workflows/gpu_memory_sanitizer_h100.yml
@@ -31,43 +31,11 @@ permissions:
 # zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning

 jobs:
-  should-run:
-    name: gpu_memory_sanitizer_h100/should-run
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read  # Needed to check for file change
-    outputs:
-      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
-
-      - name: Check for file changes
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files_yaml: |
-            gpu:
-              - Cargo.toml
-              - tfhe/Cargo.toml
-              - tfhe/build.rs
-              - backends/tfhe-cuda-backend/**
-              - tfhe/src/core_crypto/gpu/**
-              - tfhe/src/integer/gpu/**
-              - tfhe/src/shortint/parameters/**
-              - tfhe/src/high_level_api/**
-              - '.github/workflows/gpu_memory_sanitizer_h100.yml'
-
  setup-instance:
    name: gpu_memory_sanitizer/setup-instance
-    needs: should-run
    runs-on: ubuntu-latest
-    if: github.event_name == 'workflow_dispatch' ||
-      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true')
+    if: github.event_name != 'pull_request' ||
+      (github.event.action == 'labeled' && github.event.label.name == 'approved')
    outputs:
      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
    steps:
@@ -110,7 +78,7 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/gpu_pcc.yml
+++ b/.github/workflows/gpu_pcc.yml
@@ -74,12 +74,12 @@ jobs:

    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

-      - name: Install CUDA and other dependencies
+      - name: Install CUDA
        if: env.SECRETS_AVAILABLE == 'false'
        shell: bash
        run: |
@@ -90,17 +90,8 @@ jobs:
          echo "${CUDA_KEYRING_SHA} ${CUDA_KEYRING_PACKAGE}" > checksum
          sha256sum -c checksum
          sudo dpkg -i "${CUDA_KEYRING_PACKAGE}"
-
-          # Disable unattended-upgrades to avoid lock issues
-          sudo systemctl mask --now unattended-upgrades
-          sudo systemctl stop --now unattended-upgrades
-
-          sudo apt-get clean
-          sudo rm -rf /var/lib/apt/lists/*
-          sudo apt purge -y unattended-upgrades
-
          sudo apt update
-          sudo apt -y install "cuda-toolkit-${TOOLKIT_VERSION}" cmake-format python3-venv
+          sudo apt -y install "cuda-toolkit-${TOOLKIT_VERSION}" cmake-format
        env:
          CUDA_VERSION: ${{ matrix.cuda }}

@@ -131,10 +122,6 @@ jobs:
        env:
          GCC_VERSION: ${{ matrix.gcc }}

-      - name: Run semgrep and lint checks on CUDA code
-        run: |
-          make semgrep_and_lint_gpu_code
-
      - name: Run fmt checks
        run: |
          make check_fmt_gpu
@@ -143,10 +130,6 @@ jobs:
        run: |
          make pcc_gpu

-      - name: Run semver checks on tfhe-cuda-backend
-        run: |
-          make semver_check_cuda_backend
-
      - name: Check build with hpu enabled
        run: |
          make clippy_gpu_hpu
--- a/.github/workflows/gpu_signed_integer_classic_tests.yml
+++ b/.github/workflows/gpu_signed_integer_classic_tests.yml
@@ -40,7 +40,7 @@ jobs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -48,7 +48,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -63,8 +63,10 @@ jobs:
              - tfhe/src/shortint/parameters/**
              - tfhe/src/high_level_api/**
              - tfhe/src/c_api/**
+              - 'tfhe/docs/**/**.md'
              - '.github/workflows/gpu_signed_integer_classic_tests.yml'
              - scripts/integer-tests.sh
+              - ci/slab.toml

  setup-instance:
    name: gpu_signed_integer_classic_tests/setup-instance
@@ -114,7 +116,7 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/gpu_signed_integer_h100_tests.yml
+++ b/.github/workflows/gpu_signed_integer_h100_tests.yml
@@ -23,7 +23,7 @@ on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
  workflow_dispatch:
  pull_request:
-    types: [ labeled, opened, synchronize ]
+    types: [ labeled ]

 permissions:
  contents: read
@@ -38,10 +38,9 @@ jobs:
      pull-requests: read  # Needed to check for file change
    outputs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
-      core_crypto_changed: ${{ steps.changed-files.outputs.core_crypto_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -49,7 +48,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -64,24 +63,30 @@ jobs:
              - tfhe/src/shortint/parameters/**
              - tfhe/src/high_level_api/**
              - tfhe/src/c_api/**
+              - 'tfhe/docs/**/**.md'
              - '.github/workflows/gpu_signed_integer_h100_tests.yml'
              - scripts/integer-tests.sh
-            core_crypto:
-              - tfhe/src/core_crypto/gpu/**
+              - ci/slab.toml

  setup-instance:
    name: gpu_signed_integer_h100_tests/setup-instance
    needs: should-run
    if: github.event_name != 'pull_request' ||
-      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') ||
-      (github.event.action != 'labeled' && needs.should-run.outputs.core_crypto_changed == 'true')
+      (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') ||
+      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true')
    runs-on: ubuntu-latest
    outputs:
-      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+      # Use permanent remote instance label first as on-demand remote instance label output is set before the end of start-remote-instance step.
+      # If the latter fails due to a failed GitHub action runner set up, we have to fallback on the permanent instance.
+      # Since the on-demand remote label is set before failure, we have to do the logical OR in this order,
+      # otherwise we'll try to run the next job on a non-existing on-demand instance.
+      runner-name: ${{ steps.use-permanent-instance.outputs.runner_group || steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+      remote-instance-outcome: ${{ steps.start-remote-instance.outcome }}
    steps:
      - name: Start remote instance
        id: start-remote-instance
        if: env.SECRETS_AVAILABLE == 'true'
+        continue-on-error: true
        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
        with:
          mode: start
@@ -91,6 +96,13 @@ jobs:
          backend: hyperstack
          profile: single-h100

+      # This will allow to fallback on permanent instances running on Hyperstack.
+      - name: Use permanent remote instance
+        id: use-permanent-instance
+        if: env.SECRETS_AVAILABLE == 'true' && steps.start-remote-instance.outcome == 'failure'
+        run: |
+          echo "runner_group=h100x1" >> "$GITHUB_OUTPUT"
+
      # This instance will be spawned especially for pull-request from forked repository
      - name: Start GitHub instance
        id: start-github-instance
@@ -117,12 +129,13 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Setup Hyperstack dependencies
+        if: needs.setup-instance.outputs.remote-instance-outcome == 'success'
        uses: ./.github/actions/gpu_setup
        with:
          cuda-version: ${{ matrix.cuda }}
@@ -164,7 +177,7 @@ jobs:

  teardown-instance:
    name: gpu_signed_integer_h100_tests/teardown-instance
-    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    if: ${{ always() && needs.setup-instance.outputs.remote-instance-outcome == 'success' }}
    needs: [ setup-instance, cuda-tests-linux ]
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/gpu_signed_integer_tests.yml
+++ b/.github/workflows/gpu_signed_integer_tests.yml
@@ -41,7 +41,7 @@ jobs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -49,7 +49,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -64,8 +64,10 @@ jobs:
              - tfhe/src/shortint/parameters/**
              - tfhe/src/high_level_api/**
              - tfhe/src/c_api/**
+              - 'tfhe/docs/**/**.md'
              - '.github/workflows/gpu_signed_integer_tests.yml'
              - scripts/integer-tests.sh
+              - ci/slab.toml

  setup-instance:
    name: gpu_signed_integer_tests/setup-instance
@@ -115,7 +117,7 @@ jobs:
            gcc: 11
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/gpu_unsigned_integer_classic_tests.yml
+++ b/.github/workflows/gpu_unsigned_integer_classic_tests.yml
@@ -40,7 +40,7 @@ jobs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -48,7 +48,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -63,8 +63,10 @@ jobs:
              - tfhe/src/shortint/parameters/**
              - tfhe/src/high_level_api/**
              - tfhe/src/c_api/**
+              - 'tfhe/docs/**/**.md'
              - '.github/workflows/gpu_unsigned_integer_classic_tests.yml'
              - scripts/integer-tests.sh
+              - ci/slab.toml

  setup-instance:
    name: gpu_unsigned_integer_classic_tests/setup-instance
@@ -114,7 +116,7 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/gpu_unsigned_integer_h100_tests.yml
+++ b/.github/workflows/gpu_unsigned_integer_h100_tests.yml
@@ -23,7 +23,7 @@ on:
  # Allows you to run this workflow manually from the Actions tab as an alternative.
  workflow_dispatch:
  pull_request:
-    types: [ labeled, opened, synchronize ]
+    types: [ labeled ]

 permissions:
  contents: read
@@ -38,10 +38,9 @@ jobs:
      pull-requests: read  # Needed to check for file change
    outputs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
-      core_crypto_changed: ${{ steps.changed-files.outputs.core_crypto_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -49,7 +48,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -64,24 +63,30 @@ jobs:
              - tfhe/src/shortint/parameters/**
              - tfhe/src/high_level_api/**
              - tfhe/src/c_api/**
+              - 'tfhe/docs/**/**.md'
              - '.github/workflows/gpu_unsigned_integer_h100_tests.yml'
              - scripts/integer-tests.sh
-            core_crypto:
-              - tfhe/src/core_crypto/gpu/**
+              - ci/slab.toml

  setup-instance:
    name: gpu_unsigned_integer_h100_tests/setup-instance
    needs: should-run
    if: github.event_name == 'workflow_dispatch' ||
-      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true') ||
-      (github.event.action != 'labeled' && needs.should-run.outputs.core_crypto_changed == 'true')
+      (github.event.action != 'labeled' && needs.should-run.outputs.gpu_test == 'true') ||
+      (github.event.action == 'labeled' && github.event.label.name == 'approved' && needs.should-run.outputs.gpu_test == 'true')
    runs-on: ubuntu-latest
    outputs:
-      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+      # Use permanent remote instance label first as on-demand remote instance label output is set before the end of start-remote-instance step.
+      # If the latter fails due to a failed GitHub action runner set up, we have to fallback on the permanent instance.
+      # Since the on-demand remote label is set before failure, we have to do the logical OR in this order,
+      # otherwise we'll try to run the next job on a non-existing on-demand instance.
+      runner-name: ${{ steps.use-permanent-instance.outputs.runner_group || steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+      remote-instance-outcome: ${{ steps.start-remote-instance.outcome }}
    steps:
      - name: Start remote instance
        id: start-remote-instance
        if: env.SECRETS_AVAILABLE == 'true'
+        continue-on-error: true
        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
        with:
          mode: start
@@ -91,6 +96,13 @@ jobs:
          backend: hyperstack
          profile: single-h100

+      # This will allow to fallback on permanent instances running on Hyperstack.
+      - name: Use permanent remote instance
+        id: use-permanent-instance
+        if: env.SECRETS_AVAILABLE == 'true' && steps.start-remote-instance.outcome == 'failure'
+        run: |
+          echo "runner_group=h100x1" >> "$GITHUB_OUTPUT"
+
      # This instance will be spawned especially for pull-request from forked repository
      - name: Start GitHub instance
        id: start-github-instance
@@ -117,12 +129,13 @@ jobs:
            gcc: 11 
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Setup Hyperstack dependencies
+        if: needs.setup-instance.outputs.remote-instance-outcome == 'success'
        uses: ./.github/actions/gpu_setup
        with:
          cuda-version: ${{ matrix.cuda }}
@@ -164,7 +177,7 @@ jobs:

  teardown-instance:
    name: gpu_unsigned_integer_h100_tests/teardown-instance
-    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    if: ${{ always() && needs.setup-instance.outputs.remote-instance-outcome == 'success' }}
    needs: [ setup-instance, cuda-tests-linux ]
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/gpu_unsigned_integer_tests.yml
+++ b/.github/workflows/gpu_unsigned_integer_tests.yml
@@ -41,7 +41,7 @@ jobs:
      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -49,7 +49,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            gpu:
@@ -64,8 +64,10 @@ jobs:
              - tfhe/src/shortint/parameters/**
              - tfhe/src/high_level_api/**
              - tfhe/src/c_api/**
+              - 'tfhe/docs/**/**.md'
              - '.github/workflows/gpu_unsigned_integer_tests.yml'
              - scripts/integer-tests.sh
+              - ci/slab.toml

  setup-instance:
    name: gpu_unsigned_integer_tests/setup-instance
@@ -115,7 +117,7 @@ jobs:
            gcc: 11
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/gpu_zk_tests.yml
+++ b/.github/workflows/gpu_zk_tests.yml
@@ -1,183 +0,0 @@
-# Compile and test zk-cuda-backend
-name: gpu_zk_tests
-
-env:
-  CARGO_TERM_COLOR: always
-  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-  RUSTFLAGS: "-C target-cpu=native"
-  RUST_BACKTRACE: "full"
-  RUST_MIN_STACK: "8388608"
-  SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-  SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
-  SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
-  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-  SLACKIFY_MARKDOWN: true
-  IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
-  PULL_REQUEST_MD_LINK: ""
-  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-  # Secrets will be available only to zama-ai organization members
-  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
-  EXTERNAL_CONTRIBUTION_RUNNER: "gpu_ubuntu-22.04"
-
-on:
-  # Allows you to run this workflow manually from the Actions tab as an alternative.
-  workflow_dispatch:
-  pull_request:
-
-permissions:
-  contents: read
-
-# zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning
-
-jobs:
-  should-run:
-    name: gpu_zk_tests/should-run
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read  # Needed to check for file change
-    outputs:
-      gpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.gpu_any_changed }}
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
-
-      - name: Check for file changes
-        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
-        with:
-          files_yaml: |
-            gpu:
-              - tfhe/Cargo.toml
-              - tfhe/build.rs
-              - backends/tfhe-cuda-backend/**
-              - backends/zk-cuda-backend/**
-              - tfhe/src/shortint/parameters/**
-              - tfhe/src/zk/**
-              - tfhe-zk-pok/**
-              - '.github/workflows/gpu_zk_tests.yml'
-              - ci/slab.toml
-
-  setup-instance:
-    name: gpu_zk_tests/setup-instance
-    needs: should-run
-    if: github.event_name == 'workflow_dispatch' ||
-      needs.should-run.outputs.gpu_test == 'true'
-    runs-on: ubuntu-latest
-    outputs:
-      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
-    steps:
-      - name: Start remote instance
-        id: start-remote-instance
-        if: env.SECRETS_AVAILABLE == 'true'
-        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
-        with:
-          mode: start
-          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
-          slab-url: ${{ secrets.SLAB_BASE_URL }}
-          job-secret: ${{ secrets.JOB_SECRET }}
-          backend: hyperstack
-          profile: gpu-test
-
-      # This instance will be spawned especially for pull-request from forked repository
-      - name: Start GitHub instance
-        id: start-github-instance
-        if: env.SECRETS_AVAILABLE == 'false'
-        run: |
-          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
-
-  cuda-tests-linux:
-    name: gpu_zk_tests/cuda-tests-linux
-    needs: [ should-run, setup-instance ]
-    if: github.event_name != 'pull_request' ||
-      (github.event_name == 'pull_request' && needs.setup-instance.result != 'skipped')
-    concurrency:
-      group: ${{ github.workflow_ref }}
-      cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
-    strategy:
-      fail-fast: false
-      # explicit include-based build matrix, of known valid options
-      matrix:
-        include:
-          - os: ubuntu-22.04
-            cuda: "12.8"
-            gcc: 11 
-    steps:
-      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          persist-credentials: 'false'
-          token: ${{ env.CHECKOUT_TOKEN }}
-
-      - name: Setup Hyperstack dependencies
-        uses: ./.github/actions/gpu_setup
-        with:
-          cuda-version: ${{ matrix.cuda }}
-          gcc-version: ${{ matrix.gcc }}
-          github-instance: ${{ env.SECRETS_AVAILABLE == 'false' }}
-
-      - name: Install latest stable
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
-        with:
-          toolchain: stable
-
-      - name: Enable nvidia multi-process service
-        run: |
-          nvidia-cuda-mps-control -d
-
-      - name: Run zk-cuda-backend integration tests
-        run: |
-          make test_zk_cuda_backend
-          make test_zk_pok_experimental_gpu
-          make test_integer_zk_gpu
-          make test_integer_zk_experimental_gpu
-
-  slack-notify:
-    name: gpu_zk_tests/slack-notify
-    needs: [ setup-instance, cuda-tests-linux ]
-    runs-on: ubuntu-latest
-    if: ${{ always() && needs.cuda-tests-linux.result != 'skipped' && failure() }}
-    continue-on-error: true
-    steps:
-      - name: Set pull-request URL
-        if: env.SECRETS_AVAILABLE == 'true' && github.event_name == 'pull_request'
-        run: |
-          echo "PULL_REQUEST_MD_LINK=[pull-request](${PR_BASE_URL}${PR_NUMBER}), "  >> "${GITHUB_ENV}"
-        env:
-          PR_BASE_URL: ${{ vars.PR_BASE_URL }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-
-      - name: Send message
-        if: env.SECRETS_AVAILABLE == 'true'
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
-        env:
-          SLACK_COLOR: ${{ needs.cuda-tests-linux.result }}
-          SLACK_MESSAGE: "ZK GPU tests finished with status: ${{ needs.cuda-tests-linux.result }}. (${{ env.PULL_REQUEST_MD_LINK }}[action run](${{ env.ACTION_RUN_URL }}))"
-
-  teardown-instance:
-    name: gpu_zk_tests/teardown-instance
-    if: ${{ always() && needs.setup-instance.result == 'success' }}
-    needs: [ setup-instance, cuda-tests-linux ]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Stop remote instance
-        id: stop-instance
-        if: env.SECRETS_AVAILABLE == 'true'
-        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
-        with:
-          mode: stop
-          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
-          slab-url: ${{ secrets.SLAB_BASE_URL }}
-          job-secret: ${{ secrets.JOB_SECRET }}
-          label: ${{ needs.setup-instance.outputs.runner-name }}
-
-      - name: Slack Notification
-        if: ${{ failure() }}
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
-        env:
-          SLACK_COLOR: ${{ job.status }}
-          SLACK_MESSAGE: "Instance teardown (cuda-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/hpu_hlapi_tests.yml
+++ b/.github/workflows/hpu_hlapi_tests.yml
@@ -2,7 +2,6 @@
 name: hpu_hlapi_tests

 on:
-  workflow_dispatch:
  pull_request:
  push:
    branches:
@@ -13,7 +12,9 @@ env:
  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
  IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }}
  CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
-
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_16"

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }}
@@ -24,8 +25,6 @@ permissions: {}
 jobs:
  should-run:
    name: hpu_hlapi_tests/should-run
-    if: github.event_name != 'push' ||
-      (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs')
    runs-on: ubuntu-latest
    permissions:
      pull-requests: read  # Needed to check for file change
@@ -33,7 +32,7 @@ jobs:
      hpu_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.hpu_any_changed }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -41,7 +40,7 @@ jobs:

      - name: Check for file changes
        id: changed-files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1
        with:
          files_yaml: |
            hpu:
@@ -50,21 +49,47 @@ jobs:
              - backends/tfhe-hpu-backend/**
              - mockups/tfhe-hpu-mockup/**

-  cargo-tests-hpu:
-    name: hpu_hlapi_tests/cargo-tests-hpu (bpr)
+  setup-instance:
+    name: hpu_hlapi_tests/setup-instance
    needs: should-run
    if:
      needs.should-run.outputs.hpu_test == 'true' &&
      ((github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs') ||github.event_name == 'pull_request')
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-big"
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-big
+
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
+
+  cargo-tests-hpu:
+    name: hpu_hlapi_tests/cargo-tests-hpu (bpr)
+    needs: setup-instance
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ env.CHECKOUT_TOKEN }}

      - name: Install Rust
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # zizmor: ignore[stale-action-refs] this action doesn't create releases
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
        with:
          toolchain: stable
          override: true
@@ -79,3 +104,27 @@ jobs:
          just -f mockups/tfhe-hpu-mockup/Justfile  BUILD_PROFILE=release mockup &
          make HPU_CONFIG=sim test_high_level_api_hpu
          make HPU_CONFIG=sim test_user_doc_hpu
+
+  teardown-instance:
+    name: hpu_hlapi_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [setup-instance, cargo-tests-hpu]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (hpu_hlapi_tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/integer_long_run_tests.yml
+++ b/.github/workflows/integer_long_run_tests.yml
@@ -24,18 +24,36 @@ permissions: {}
 # zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning

 jobs:
-  cpu-tests:
-    name: integer_long_run_tests/cpu-tests
+  setup-instance:
+    name: integer_long_run_tests/setup-instance
    if: github.event_name != 'schedule' ||
      (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs')
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-instance.outputs.label }}
+    steps:
+      - name: Start instance
+        id: start-instance
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-big
+
+  cpu-tests:
+    name: integer_long_run_tests/cpu-tests
+    needs: [ setup-instance ]
    concurrency:
      group: ${{ github.workflow_ref }}_${{github.event_name}}
      cancel-in-progress: true
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-big"
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    timeout-minutes: 4320 # 72 hours
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
@@ -56,3 +74,26 @@ jobs:
        env:
          SLACK_COLOR: ${{ job.status }}
          SLACK_MESSAGE: "CPU long run tests finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
+
+  teardown-instance:
+    name: integer_long_run_tests/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [ setup-instance, cpu-tests ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop instance
+        id: stop-instance
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (cpu-long-run-tests) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/m1_tests.yml
+++ b/.github/workflows/m1_tests.yml
@@ -41,7 +41,7 @@ jobs:
    timeout-minutes: 720

    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: "false"
          token: ${{ env.CHECKOUT_TOKEN }}
--- a/.github/workflows/make_release_common.yml
+++ b/.github/workflows/make_release_common.yml
@@ -52,7 +52,7 @@ jobs:
      hash: ${{ steps.hash.outputs.hash }}
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -62,7 +62,7 @@ jobs:
          PACKAGE: ${{ inputs.package-name }}
        run: |
          cargo package -p "${PACKAGE}"
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: crate-${{ inputs.package-name }}
          path: target/package/*.crate
@@ -75,8 +75,7 @@ jobs:
    name: make_release_common/provenance
    if: ${{ !inputs.dry-run  }}
    needs: package
-    # This action cannot be pinned to a specific commit (see https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#referencing-slsa-builders-and-generators)
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # zizmor: ignore[unpinned-uses] as said above SLSA cannot be pinned by tag today
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    permissions:
      actions: read # Needed to detect the GitHub Actions environment
      id-token: write # Needed to create the provenance via GitHub OIDC
@@ -94,20 +93,20 @@ jobs:
      id-token: write # Needed for OIDC token exchange on crates.io
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: 'false'
          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}

      - name: Download artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: crate-${{ inputs.package-name }}
          path: target/package

      - name: Authenticate on registry
-        uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
+        uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
        id: auth

      - name: Publish crate.io package
--- a/.github/workflows/make_release_common_cuda.yml
+++ b/.github/workflows/make_release_common_cuda.yml
@@ -1,36 +1,12 @@
-# Common workflow to make crate release for CUDA backend
-name: make_release_common_cuda
+name: make_release_cuda

 on:
-  workflow_call:
+  workflow_dispatch:
    inputs:
-      package-name:
-        type: string
-        required: true
-      dry-run:
+      dry_run:
+        description: "Dry-run"
        type: boolean
        default: true
-    secrets:
-      REPO_CHECKOUT_TOKEN:
-        required: true
-      SLAB_ACTION_TOKEN:
-        required: true
-      SLAB_BASE_URL:
-        required: true
-      SLAB_URL:
-        required: true
-      JOB_SECRET:
-        required: true
-      SLACK_CHANNEL:
-        required: true
-      BOT_USERNAME:
-        required: true
-      SLACK_WEBHOOK:
-        required: true
-      ALLOWED_TEAM:
-        required: true
-      READ_ORG_TOKEN:
-        required: true

 env:
  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
@@ -45,15 +21,15 @@ permissions: {}

 jobs:
  verify-triggering-actor:
-    name: make_release_common_cuda/verify-triggering-actor
+    name: make_release_cuda/verify-triggering-actor
    if: startsWith(github.ref, 'refs/tags/')
    uses: ./.github/workflows/verify_triggering_actor.yml
    secrets:
-      ALLOWED_TEAM: ${{ secrets.ALLOWED_TEAM }}
+      ALLOWED_TEAM: ${{ secrets.RELEASE_TEAM }}
      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}

  setup-instance:
-    name: make_release_common_cuda/setup-instance
+    name: make_release_cuda/setup-instance
    needs: verify-triggering-actor
    runs-on: ubuntu-latest
    outputs:
@@ -71,7 +47,7 @@ jobs:
          profile: gpu-build

  package:
-    name: make_release_common_cuda/package
+    name: make_release_cuda/package
    needs: setup-instance
    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    outputs:
@@ -88,7 +64,7 @@ jobs:
      CUDA_PATH: /usr/local/cuda-${{ matrix.cuda }}
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: "false"
@@ -100,6 +76,7 @@ jobs:
          toolchain: stable

      - name: Export CUDA variables
+        if: ${{ !cancelled() }}
        run: |
          echo "$CUDA_PATH/bin" >> "${GITHUB_PATH}"
          {
@@ -112,6 +89,7 @@ jobs:

      # Specify the correct host compilers
      - name: Export gcc and g++ variables
+        if: ${{ !cancelled() }}
        run: |
          {
            echo "CC=/usr/bin/gcc-${GCC_VERSION}";
@@ -123,14 +101,12 @@ jobs:
          GCC_VERSION: ${{ matrix.gcc }}

      - name: Prepare package
-        env:
-          PACKAGE: ${{ inputs.package-name }}
        run: |
-          cargo package -p "${PACKAGE}"
+          cargo package -p tfhe-cuda-backend

-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
-          name: crate-${{ inputs.package-name }}
+          name: crate-tfhe-cuda-backend
          path: target/package/*.crate

      - name: generate hash
@@ -138,11 +114,10 @@ jobs:
        run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}"

  provenance:
-    name: make_release_common_cuda/provenance
-    if: ${{ !inputs.dry-run  }}
+    name: make_release_cuda/provenance
+    if: ${{ !inputs.dry_run  }}
    needs: [package]
-    # This action cannot be pinned to a specific commit (see https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#referencing-slsa-builders-and-generators)
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # zizmor: ignore[unpinned-uses] as said above SLSA cannot be pinned by tag today
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    permissions:
      actions: read # Needed to detect the GitHub Actions environment
      id-token: write # Needed to create the provenance via GitHub OIDC
@@ -152,7 +127,7 @@ jobs:
      base64-subjects: ${{ needs.package.outputs.hash }}

  publish-cuda-release:
-    name: make_release_common_cuda/publish-cuda-release
+    name: make_release_cuda/publish-cuda-release
    needs: [setup-instance, package] # for comparing hashes
    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    permissions:
@@ -174,6 +149,7 @@ jobs:
          toolchain: stable

      - name: Export CUDA variables
+        if: ${{ !cancelled() }}
        run: |
          echo "$CUDA_PATH/bin" >> "${GITHUB_PATH}"
          {
@@ -186,6 +162,7 @@ jobs:

      # Specify the correct host compilers
      - name: Export gcc and g++ variables
+        if: ${{ !cancelled() }}
        run: |
          {
            echo "CC=/usr/bin/gcc-${GCC_VERSION}";
@@ -196,33 +173,25 @@ jobs:
        env:
          GCC_VERSION: ${{ matrix.gcc }}

-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-          persist-credentials: "false"
-          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-
      - name: Download artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
-          name: crate-${{ inputs.package-name }}
+          name: crate-tfhe-cuda-backend
          path: target/package

      - name: Authenticate on registry
-        uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4
+        uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
        id: auth

      - name: Publish crate.io package
        env:
          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
-          PACKAGE: ${{ inputs.package-name }}
-          DRY_RUN: ${{ inputs.dry-run && '--dry-run' || '' }}
+          DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }}
        run: |
-          # DRY_RUN expansion cannot be double quoted when variable contains empty string otherwise cargo publish
+          # DRY_RUN expansion cannot be double quoted when variable contains empty string otherwise cargo publish 
          # would fail. This is safe since DRY_RUN is handled in the env section above.
          # shellcheck disable=SC2086
-          cargo publish -p "${PACKAGE}" ${DRY_RUN}
+          cargo publish -p tfhe-cuda-backend ${DRY_RUN}

      - name: Generate hash
        id: published_hash
@@ -234,7 +203,7 @@ jobs:
        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
        env:
          SLACK_COLOR: failure
-          SLACK_MESSAGE: "SLSA ${{ inputs.package-name }} crate - hash comparison failure: (${{ env.ACTION_RUN_URL }})"
+          SLACK_MESSAGE: "SLSA tfhe-cuda-backend crate - hash comparison failure: (${{ env.ACTION_RUN_URL }})"

      - name: Slack Notification
        if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }}
@@ -242,10 +211,10 @@ jobs:
        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
        env:
          SLACK_COLOR: ${{ job.status }}
-          SLACK_MESSAGE: "${{ inputs.package-name }} release finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
+          SLACK_MESSAGE: "tfhe-cuda-backend release finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"

  teardown-instance:
-    name: make_release_common_cuda/teardown-instance
+    name: make_release_cuda/teardown-instance
    if: ${{ always() && needs.setup-instance.result == 'success' }}
    needs: [setup-instance, publish-cuda-release]
    runs-on: ubuntu-latest
@@ -262,7 +231,7 @@ jobs:

      - name: Slack Notification
        if: ${{ failure() }}
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
        env:
          SLACK_COLOR: ${{ job.status }}
-          SLACK_MESSAGE: "Instance teardown (${{ inputs.package-name }} release) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
+          SLACK_MESSAGE: "Instance teardown (publish-cuda-release) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/make_release_tfhe.yml
+++ b/.github/workflows/make_release_tfhe.yml
@@ -16,10 +16,6 @@ on:
        description: "Push web js package"
        type: boolean
        default: true
-      push_web_compat_package:
-        description: "Push web compat (cross-origin) js package"
-        type: boolean
-        default: true
      push_node_package:
        description: "Push node js package"
        type: boolean
@@ -72,7 +68,7 @@ jobs:
      id-token: write # also needed for OIDC token exchange on crates.io and npmjs.com
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: 'false'
@@ -89,31 +85,14 @@ jobs:
          make build_web_js_api_parallel

      - name: Authenticate on NPM
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version: '24'
          registry-url: 'https://registry.npmjs.org'

      - name: Publish web package
        if: ${{ inputs.push_web_package }}
-        uses: JS-DevTools/npm-publish@0fd2f4369c5d6bcfcde6091a7c527d810b9b5c3f
-        with:
-          package: tfhe/pkg/package.json
-          dry-run: ${{ inputs.dry_run }}
-          tag: ${{ env.NPM_TAG }}
-          provenance: true
-
-      - name: Build web compat (cross-origin) package
-        if: ${{ inputs.push_web_compat_package }}
-        run: |
-          rm -rf tfhe/pkg
-
-          make build_web_js_api
-          sed -i 's/"tfhe"/"tfhe-compat"/g' tfhe/pkg/package.json
-
-      - name: Publish web compat (cross-origin) package
-        if: ${{ inputs.push_web_compat_package }}
-        uses: JS-DevTools/npm-publish@0fd2f4369c5d6bcfcde6091a7c527d810b9b5c3f
+        uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b
        with:
          package: tfhe/pkg/package.json
          dry-run: ${{ inputs.dry_run }}
@@ -130,7 +109,7 @@ jobs:

      - name: Publish Node package
        if: ${{ inputs.push_node_package }}
-        uses: JS-DevTools/npm-publish@0fd2f4369c5d6bcfcde6091a7c527d810b9b5c3f
+        uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b
        with:
          package: tfhe/pkg/package.json
          dry-run: ${{ inputs.dry_run }}
--- a/.github/workflows/make_release_tfhe_cuda.yml
+++ b/.github/workflows/make_release_tfhe_cuda.yml
@@ -1,44 +0,0 @@
-# Publish new release of tfhe-rs CUDA backend on crates.io.
-name: make_release_tfhe_cuda
-
-on:
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "Dry-run"
-        type: boolean
-        default: true
-
-env:
-  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-  SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-  SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
-  SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
-  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-
-permissions: {}
-
-# zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow
-
-jobs:
-  make-release:
-    name: make_release_tfhe_cuda/make-release
-    uses: ./.github/workflows/make_release_common_cuda.yml
-    with:
-      package-name: "tfhe-cuda-backend"
-      dry-run: ${{ inputs.dry_run }}
-    permissions:
-      actions: read # Needed to detect the GitHub Actions environment
-      id-token: write # Needed to create the provenance via GitHub OIDC
-      contents: write # Needed to upload assets/artifacts
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      ALLOWED_TEAM: ${{ secrets.RELEASE_TEAM }}
-      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
-      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
-      SLAB_URL: ${{ secrets.SLAB_URL }}
-      JOB_SECRET: ${{ secrets.JOB_SECRET }}
--- a/.github/workflows/make_release_tfhe_safe_serialize.yml
+++ b/.github/workflows/make_release_tfhe_safe_serialize.yml
@@ -1,32 +0,0 @@
-name: make_release_tfhe_safe_serialize
-
-on:
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "Dry-run"
-        type: boolean
-        default: true
-
-permissions: {}
-
-# zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow
-
-jobs:
-  make-release:
-    name: make_release_tfhe_safe_serialize/make-release
-    uses: ./.github/workflows/make_release_common.yml
-    with:
-      package-name: "tfhe-safe-serialize"
-      dry-run: ${{ inputs.dry_run }}
-    permissions:
-      actions: read # Needed to detect the GitHub Actions environment
-      id-token: write # Needed to create the provenance via GitHub OIDC
-      contents: write # Needed to upload assets/artifacts
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      ALLOWED_TEAM: ${{ secrets.RELEASE_TEAM }}
-      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
--- a/.github/workflows/make_release_wasm_par_mq.yml
+++ b/.github/workflows/make_release_wasm_par_mq.yml
@@ -1,33 +0,0 @@
-# Publish new release of wasm_par_mq
-name: make_release_wasm_par_mq
-
-on:
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "Dry-run"
-        type: boolean
-        default: true
-
-permissions: {}
-
-# zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow
-
-jobs:
-  make-release:
-    name: make_release_wasm_par_mq/make-release
-    uses: ./.github/workflows/make_release_common.yml
-    with:
-      package-name: "wasm-par-mq"
-      dry-run: ${{ inputs.dry_run }}
-    permissions:
-      actions: read # Needed to detect the GitHub Actions environment
-      id-token: write # Needed to create the provenance via GitHub OIDC
-      contents: write # Needed to upload assets/artifacts
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      ALLOWED_TEAM: ${{ secrets.RELEASE_TEAM }}
-      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
--- a/.github/workflows/make_release_zk_cuda.yml
+++ b/.github/workflows/make_release_zk_cuda.yml
@@ -1,44 +0,0 @@
-# Publish new release of CUDA Zero-Knowledge primitives on crates.io.
-name: make_release_zk_cuda
-
-on:
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: "Dry-run"
-        type: boolean
-        default: true
-
-env:
-  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-  SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-  SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
-  SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
-  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-
-permissions: {}
-
-# zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow
-
-jobs:
-  make-release:
-    name: make_release_zk_cuda/make-release
-    uses: ./.github/workflows/make_release_common_cuda.yml
-    with:
-      package-name: "zk-cuda-backend"
-      dry-run: ${{ inputs.dry_run }}
-    permissions:
-      actions: read # Needed to detect the GitHub Actions environment
-      id-token: write # Needed to create the provenance via GitHub OIDC
-      contents: write # Needed to upload assets/artifacts
-    secrets:
-      BOT_USERNAME: ${{ secrets.BOT_USERNAME }}
-      SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
-      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-      REPO_CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN }}
-      ALLOWED_TEAM: ${{ secrets.RELEASE_TEAM }}
-      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
-      SLAB_ACTION_TOKEN: ${{ secrets.SLAB_ACTION_TOKEN }}
-      SLAB_BASE_URL: ${{ secrets.SLAB_BASE_URL }}
-      SLAB_URL: ${{ secrets.SLAB_URL }}
-      JOB_SECRET: ${{ secrets.JOB_SECRET }}
--- a/.github/workflows/parameters_check.yml
+++ b/.github/workflows/parameters_check.yml
@@ -5,8 +5,9 @@ env:
  CARGO_TERM_COLOR: always
  ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
  RUSTFLAGS: "-C target-cpu=native"
-
-  SAGEMATH_VERSION: 10.8
+  # Secrets will be available only to zama-ai organization members
+  SECRETS_AVAILABLE: ${{ secrets.JOB_SECRET != '' }}
+  EXTERNAL_CONTRIBUTION_RUNNER: "large_ubuntu_16"

 on:
  pull_request:
@@ -25,15 +26,41 @@ permissions: {}
 # zizmor: ignore[concurrency-limits] only Zama organization members and GitHub can trigger this workflow

 jobs:
-  params-curves-security-check:
-    name: parameters_check/params-curves-security-check
+  setup-instance:
+    name: parameters_check/setup-instance
    if:
      (github.event_name == 'push' && github.repository == 'zama-ai/tfhe-rs') ||
-      github.event_name != 'push'
-    runs-on: "runs-on=${{ github.run_id }}/runner=cpu-small"
+      github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    outputs:
+      runner-name: ${{ steps.start-remote-instance.outputs.label || steps.start-github-instance.outputs.runner_group }}
+    steps:
+      - name: Start remote instance
+        id: start-remote-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: start
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          backend: aws
+          profile: cpu-small
+
+      # This instance will be spawned especially for pull-request from forked repository
+      - name: Start GitHub instance
+        id: start-github-instance
+        if: env.SECRETS_AVAILABLE == 'false'
+        run: |
+          echo "runner_group=${EXTERNAL_CONTRIBUTION_RUNNER}" >> "$GITHUB_OUTPUT"
+
+  params-curves-security-check:
+    name: parameters_check/params-curves-security-check
+    needs: setup-instance
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
    steps:
      - name: Checkout tfhe-rs
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          persist-credentials: 'false'
          token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
@@ -44,42 +71,17 @@ jobs:
          toolchain: stable

      - name: Checkout lattice-estimator
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
        with:
          repository: malb/lattice-estimator
-          path: lattice-estimator
+          path: lattice_estimator
          ref: '352ddaf4a288a0543f5d9eb588d2f89c7acec463'
          persist-credentials: 'false'

-      - name: Restore Sagemath image from cache
-        id: docker-cache
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
-        with:
-          path: /tmp/sagemath_image
-          key: sagemath-image-${{ env.SAGEMATH_VERSION }}-${{ github.sha }}
-          restore-keys: sagemath-image-
-
-      - name: Load cached Docker sagemath image
-        if: steps.docker-cache.outputs.cache-hit == 'true'
+      - name: Install Sage
        run: |
-          docker load -i /tmp/sagemath_image/sagemath.tar
-
-      - name: Pull Docker sagemath image
-        if: steps.docker-cache.outputs.cache-hit != 'true'
-        run: |
-          docker pull sagemath/sagemath:"${VERSION}"
-          mkdir -p /tmp/sagemath_image
-          docker save sagemath/sagemath:"${VERSION}" -o /tmp/sagemath_image/sagemath.tar
-        env:
-          VERSION: ${{ env.SAGEMATH_VERSION }}
-
-      - name: Store Sagemath image in cache
-        if: steps.docker-cache.outputs.cache-hit != 'true'
-        continue-on-error: true
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
-        with:
-          path: /tmp/sagemath_image
-          key: sagemath-image-${{ env.SAGEMATH_VERSION }}-${{ github.sha }}
+          sudo apt update
+          sudo apt install -y sagemath

      - name: Collect parameters
        run: |
@@ -93,9 +95,7 @@ jobs:

      - name: Perform security check
        run: |
-          docker run \
-          -v "${PWD}":/repo_src \
-          sagemath/sagemath:10.8 /bin/bash /repo_src/scripts/execute_lattice_estimator.sh
+          PYTHONPATH=lattice_estimator sage ci/lattice_estimator.sage

      - name: Get time elapsed
        if: ${{ always() }}
@@ -127,3 +127,27 @@ jobs:
          SLACK_MESSAGE: "Security check for parameters finished with status: ${{ job.status }} (analysis took: ${{ env.TIME_ELAPSED }} mins). (${{ env.ACTION_RUN_URL }})"
          SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+
+  teardown-instance:
+    name: parameters_check/teardown-instance
+    if: ${{ always() && needs.setup-instance.result == 'success' }}
+    needs: [setup-instance, params-curves-security-check]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Stop remote instance
+        id: stop-instance
+        if: env.SECRETS_AVAILABLE == 'true'
+        uses: zama-ai/slab-github-runner@5aee5d157f4a0201e5eaefc9cc648e5f9f5472a5 # v1.6.0
+        with:
+          mode: stop
+          github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
+          slab-url: ${{ secrets.SLAB_BASE_URL }}
+          job-secret: ${{ secrets.JOB_SECRET }}
+          label: ${{ needs.setup-instance.outputs.runner-name }}
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
+        env:
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: "Instance teardown (params-curves-security-check) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
--- a/.github/workflows/sync_on_push.yml
+++ b/.github/workflows/sync_on_push.yml
@@ -4,7 +4,7 @@ name: sync_on_push
 on:
  push:
    branches:
-      - "main"
+      - 'main'
  workflow_dispatch:

 permissions: {}
@@ -24,27 +24,49 @@ jobs:
          SOURCE_REPO: "zama-ai/tfhe-rs"
          SOURCE_BRANCH: "main"
          DESTINATION_BRANCH: "main"
-          SOURCE_TAGS: "refs/tags/*"
-          DESTINATION_TAGS: "refs/tags/*"
          USERNAME: ${{ secrets.BOT_USERNAME }}
          TOKEN: ${{ secrets.SYNC_REPO_TOKEN }}
          DEST_REPO: ${{ secrets.SYNC_DEST_REPO }}
        run: |
          echo ">>> Cloning source repo..."
          git lfs install
-          git clone --quiet "https://${USERNAME}:${TOKEN}@github.com/${SOURCE_REPO}.git" ./tfhe-rs --origin source && cd ./tfhe-rs
+          git clone "https://${USERNAME}:${TOKEN}@github.com/${SOURCE_REPO}.git" ./tfhe-rs --origin source && cd ./tfhe-rs
          git remote add destination "https://${USERNAME}:${TOKEN}@github.com/${DEST_REPO}.git"

          echo ">>> Fetching all branches references down locally so subsequent commands can see them..."
-          git fetch --all --tags --update-head-ok --quiet
+          git fetch source '+refs/heads/*:refs/heads/*' --update-head-ok

-          echo ">>> Sync LFS items from source..."
-          ./scripts/lfs_sync.sh source destination "${SOURCE_BRANCH}"
+          echo ">>> Print out all branches"
+          git --no-pager branch -a -vv

-          echo ">>> Pushing git changes for ${SOURCE_BRANCH}..."
+          echo ">>> Fetching all LFS items from source..."
+          git lfs fetch --all source "${SOURCE_BRANCH}"
+
+          echo ">>> Pushing git changes..."
          git push destination "${SOURCE_BRANCH}:${DESTINATION_BRANCH}" -f

-          echo ">>> Pushing git tags..."
-          git push destination "${SOURCE_TAGS}:${DESTINATION_TAGS}" -f
+          echo ">>> Pushing all LFS items..."
+          git lfs push --all destination "${DESTINATION_BRANCH}"

-          shred --remove .git/config
+      - name: git-sync-tags
+        env:
+          SOURCE_REPO: "zama-ai/tfhe-rs"
+          SOURCE_BRANCH: "refs/tags/*"
+          DESTINATION_BRANCH: "refs/tags/*"
+          USERNAME: ${{ secrets.BOT_USERNAME }}
+          TOKEN: ${{ secrets.SYNC_REPO_TOKEN }}
+          DEST_REPO: ${{ secrets.SYNC_DEST_REPO }}
+        run: |
+          echo ">>> Cloning source repo..."
+          git lfs install
+          git clone "https://${USERNAME}:${TOKEN}@github.com/${SOURCE_REPO}.git" ./tfhe-rs-tag --origin source && cd ./tfhe-rs-tag
+          git remote add destination "https://${USERNAME}:${TOKEN}@github.com/${DEST_REPO}.git"
+
+          echo ">>> Fetching all branches references down locally so subsequent commands can see them..."
+          git fetch source '+refs/heads/*:refs/heads/*' --update-head-ok
+
+          echo ">>> Print out all branches"
+          git --no-pager branch -a -vv
+
+          echo ">>> Pushing git changes..."
+          git push destination "${SOURCE_BRANCH}:${DESTINATION_BRANCH}" -f
--- a/.github/workflows/unverified_prs.yml
+++ b/.github/workflows/unverified_prs.yml
@@ -12,16 +12,15 @@ permissions: {}
 jobs:
  stale:
    name: unverified_prs/stale
-    if: github.repository == 'zama-ai/tfhe-rs'
    runs-on: ubuntu-latest
    permissions:
      issues: read # Needed to fetch all issues
      pull-requests: write # Needed to write message and close the PR
    steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
        with:
-          stale-pr-message: 'This PR is unverified and has been open for 7 days, it will now be closed. If you want to contribute please sign the CLA as indicated by the bot.'
-          days-before-stale: 7
+          stale-pr-message: 'This PR is unverified and has been open for 2 days, it will now be closed. If you want to contribute please sign the CLA as indicated by the bot.'
+          days-before-stale: 2
          days-before-close: 0
          # We are not interested in suppressing issues so have a currently non existent label
          # if we ever accept issues to become stale/closable this label will be the signal for that
--- a/.gitignore
+++ b/.gitignore
@@ -25,7 +25,6 @@ dieharder_run.log

 # Cuda local build
 backends/tfhe-cuda-backend/cuda/cmake-build-debug/
-backends/tfhe-cuda-backend/cuda/build/

 # WASM tests
 tfhe/web_wasm_parallel_tests/server.PID
@@ -33,10 +32,6 @@ venv/
 web-test-runner/
 node_modules/
 package-lock.json
-utils/wasm-par-mq/examples/*/pkg/
-
-# Commit lock files of backward data generation crates
-!utils/tfhe-backward-compat-data/crates/generate_*/Cargo.lock

 # Python .env
 .env
--- a/.linelint.yml
+++ b/.linelint.yml
@@ -9,10 +9,8 @@ ignore:
  - tfhe/web_wasm_parallel_tests/dist
  - keys
  - coverage
-  - utils/tfhe-lints/**/main.stderr
-  - utils/tfhe-lints/**/*.json
+  - utils/tfhe-lints/ui/main.stderr
  - utils/tfhe-backward-compat-data/**/*.ron # ron files are autogenerated
-  - tests/corrupted_inputs_deserialization/data/proven_compact_list/**/metadata.txt

 rules:
  # checks if file ends in a newline character
--- a/28
+++ b/28
@@ -2,37 +2,35 @@
 # i.e. the `core_crypto` dir is owned and needs owner approval/review, but not the `gpu` sub dir
 # See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#example-of-a-codeowners-file

-/backends/tfhe-cuda-backend/            @zama-ai/gpu
-/backends/zk-cuda-backend/              @zama-ai/gpu
+/backends/tfhe-cuda-backend/            @agnesLeroy
 /backends/tfhe-hpu-backend/             @zama-ai/hardware

 /tfhe/examples/hpu                      @zama-ai/hardware

-/tfhe/src/core_crypto/                  @IceTDrinker @mayeul-zama
-/tfhe/src/core_crypto/gpu               @zama-ai/gpu
+/tfhe/src/core_crypto/                  @IceTDrinker
+/tfhe/src/core_crypto/gpu               @agnesLeroy
 /tfhe/src/core_crypto/hpu               @zama-ai/hardware

 /tfhe/src/shortint/                     @mayeul-zama @nsarlin-zama

-/tfhe/src/integer/                      @tmontaigu @nsarlin-zama
-/tfhe/src/integer/gpu                   @zama-ai/gpu
+/tfhe/src/integer/                      @tmontaigu
+/tfhe/src/integer/gpu                   @agnesLeroy
 /tfhe/src/integer/hpu                   @zama-ai/hardware

-/tfhe/src/high_level_api/               @tmontaigu @nsarlin-zama
+/tfhe/src/high_level_api/               @tmontaigu

-/tfhe-zk-pok/                           @nsarlin-zama @tmontaigu
-/tfhe-zk-pok/src/gpu                    @zama-ai/gpu
+/tfhe-zk-pok/                           @nsarlin-zama

-/tfhe-benchmark/                        @soonum @SouchonTheo
+/tfhe-benchmark/                        @soonum

-/utils/                                 @nsarlin-zama @SouchonTheo
+/utils/                                 @nsarlin-zama

 /Makefile                               @IceTDrinker @soonum

 /mockups/tfhe-hpu-mockup                @zama-ai/hardware

-/.github/                               @soonum @SouchonTheo
-/ci/                                    @soonum @SouchonTheo
-/scripts/                               @soonum @SouchonTheo
+/.github/                               @soonum
+/ci/                                    @soonum
+/scripts/                               @soonum

-/CODEOWNERS                             @IceTDrinker @nsarlin-zama
+/CODEOWNERS                             @IceTDrinker
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -17,7 +17,7 @@ Start by [forking](https://docs.github.com/en/pull-requests/collaborating-with-p
 - **Performance**: For optimal performance, it is highly recommended to run **TFHE-rs** code in release mode with cargo's `--release` flag.
 {% endhint %}

-To get more details about the library, please refer to the [documentation](https://docs.zama.org/tfhe-rs).
+To get more details about the library, please refer to the [documentation](https://docs.zama.ai/tfhe-rs).

 ## 2. Creating a new branch

--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,41 +1,31 @@
 [workspace]
 resolver = "3"
 members = [
-    "apps/test-vectors",
-    "backends/tfhe-cuda-backend",
-    "backends/tfhe-hpu-backend",
-    "backends/zk-cuda-backend",
-    "mockups/tfhe-hpu-mockup",
-    "tasks",
-    "tests",
    "tfhe",
    "tfhe-benchmark",
-    "tfhe-csprng",
    "tfhe-fft",
    "tfhe-ntt",
    "tfhe-zk-pok",
-    "utils/benchmark_spec",
-    "utils/param_dedup",
-    "utils/tfhe-backward-compat-checker",
-    "utils/tfhe-backward-compat-data",
-    "utils/tfhe-backward-compat-data/crates/add_new_version",
-    "utils/tfhe-safe-serialize",
+    "tasks",
+    "tfhe-csprng",
+    "backends/tfhe-cuda-backend",
+    "backends/tfhe-hpu-backend",
    "utils/tfhe-versionable",
    "utils/tfhe-versionable-derive",
-    "utils/wasm-par-mq",
-    "utils/wasm-par-mq/examples/msm",
-    "utils/wasm-par-mq/web_tests",
+    "utils/tfhe-backward-compat-data",
+    "utils/param_dedup",
+    "tests",
+    "mockups/tfhe-hpu-mockup",
+    "apps/test-vectors",
 ]

-exclude = ["utils/tfhe-lints", "apps/trivium", "apps/princev2"]
+exclude = ["utils/tfhe-lints", "apps/trivium"]

 [workspace.package]
 rust-version = "1.91.1"

 [workspace.dependencies]
 aligned-vec = { version = "0.6", default-features = false }
-ark-ec = "0.5.0"
-ark-ff = "0.5.0"
 bytemuck = "1.24"
 dyn-stack = { version = "0.13", default-features = false }
 itertools = "0.14"
@@ -44,21 +34,10 @@ pulp = { version = "0.22", default-features = false }
 rand = "0.8"
 rayon = "1.11"
 serde = { version = "1.0", default-features = false }
-wasm-bindgen = { version = "0.2.114" }
-wasm-bindgen-futures = { version = "0.4.56" }
-# js-sys (at this point in time) automatically enables the unsafe-eval feature which we do not want
-# this does not prevent other deps from enabling it, but it at least conveys our need to not have it
-# we still enable std, which was part of default before
-js-sys = { version = "0.3.91", default-features = false, features = ["std"] }
-getrandom = "0.2.17"
-bindgen = "0.71"
+wasm-bindgen = "0.2.101"
+getrandom = "0.2.8"
 # The project maintainers consider that this is the last version of the 1.3 branch, any newer version should not be trusted
 bincode = "=1.3.3"
-cmake = "0.1"
-pkg-config = "0.3"
-clap = { version = "4.5", features = ["derive"] }
-serde-wasm-bindgen = "0.6.5"
-paste = "1.0.15"

 [profile.bench]
 lto = "fat"
@@ -78,10 +57,7 @@ lto = "off"
 debug-assertions = false

 [workspace.metadata.dylint]
-libraries = [
-    { path = "utils/tfhe-lints/lints" },
-    { path = "utils/tfhe-lints/snapshot" },
-]
+libraries = [{ path = "utils/tfhe-lints" }]

 [profile.debug_lto_off]
 inherits = "dev"
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 BSD 3-Clause Clear License

-Copyright © 2026 ZAMA.
+Copyright © 2025 ZAMA.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
--- a/656
+++ b/656
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@
 <hr/>

 <p align="center">
-  <a href="https://github.com/zama-ai/tfhe-rs-handbook/blob/main/tfhe-rs-handbook.pdf"> 📃 Read Handbook</a> |<a href="https://docs.zama.org/tfhe-rs"> 📒 Documentation</a> | <a href="https://www.zama.org/community-channels"> 💛 Community support</a> | <a href="https://github.com/zama-ai/awesome-zama"> 📚 FHE resources by Zama</a>
+  <a href="https://github.com/zama-ai/tfhe-rs-handbook/blob/main/tfhe-rs-handbook.pdf"> 📃 Read Handbook</a> |<a href="https://docs.zama.ai/tfhe-rs"> 📒 Documentation</a> | <a href="https://zama.ai/community"> 💛 Community support</a> | <a href="https://github.com/zama-ai/awesome-zama"> 📚 FHE resources by Zama</a>
 </p>


@@ -47,7 +47,7 @@ production-ready library for all the advanced features of TFHE.
 - **Ciphertext and server key compression** for efficient data transfer
 - **Full Rust API, C bindings to the Rust High-Level API, and client-side JavaScript API using WASM**.

-*Learn more about TFHE-rs features in the [documentation](https://docs.zama.org/tfhe-rs).*
+*Learn more about TFHE-rs features in the [documentation](https://docs.zama.ai/tfhe-rs/readme).*
 <br></br>

 ## Table of Contents
@@ -79,7 +79,7 @@ tfhe = { version = "*", features = ["boolean", "shortint", "integer"] }
 ```

 > [!Note]
-> Note: You need Rust version 1.91.1 or newer to compile TFHE-rs. You can check your version with `rustc --version`.
+> Note: You need Rust version 1.84 or newer to compile TFHE-rs. You can check your version with `rustc --version`.

 > [!Note]
 > Note: AArch64-based machines are not supported for Windows as it's currently missing an entropy source to be able to seed the [CSPRNGs](https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator) used in TFHE-rs.
@@ -149,7 +149,7 @@ To run this code, use the following command:
 > Note that when running code that uses `TFHE-rs`, it is highly recommended
 to run in release mode with cargo's `--release` flag to have the best performance possible.

-*Find an example with more explanations in [this part of the documentation](https://docs.zama.org/tfhe-rs/get-started/quick-start)*
+*Find an example with more explanations in [this part of the documentation](https://docs.zama.ai/tfhe-rs/get-started/quick-start)*

 <p align="right">
  <a href="#about" > ↑ Back to top </a>
@@ -163,25 +163,25 @@ to run in release mode with cargo's `--release` flag to have the best performanc
 A document containing scientific and technical details about algorithms implemented into the library is available here: [TFHE-rs: A (Practical) Handbook](https://github.com/zama-ai/tfhe-rs-handbook/blob/main/tfhe-rs-handbook.pdf).

 ### TFHE deep dive
- [TFHE Deep Dive - Part I - Ciphertext types](https://www.zama.org/post/tfhe-deep-dive-part-1)
- [TFHE Deep Dive - Part II - Encodings and linear leveled operations](https://www.zama.org/post/tfhe-deep-dive-part-2)
- [TFHE Deep Dive - Part III - Key switching and leveled multiplications](https://www.zama.org/post/tfhe-deep-dive-part-3)
- [TFHE Deep Dive - Part IV - Programmable Bootstrapping](https://www.zama.org/post/tfhe-deep-dive-part-4)
+- [TFHE Deep Dive - Part I - Ciphertext types](https://www.zama.ai/post/tfhe-deep-dive-part-1)
+- [TFHE Deep Dive - Part II - Encodings and linear leveled operations](https://www.zama.ai/post/tfhe-deep-dive-part-2)
+- [TFHE Deep Dive - Part III - Key switching and leveled multiplications](https://www.zama.ai/post/tfhe-deep-dive-part-3)
+- [TFHE Deep Dive - Part IV - Programmable Bootstrapping](https://www.zama.ai/post/tfhe-deep-dive-part-4)
 <br></br>

 ### Tutorials
- [Video tutorial: Implement signed integers using TFHE-rs](https://www.zama.org/post/video-tutorial-implement-signed-integers-sing-tfhe-rs)
- [Homomorphic parity bit](https://docs.zama.org/tfhe-rs/tutorials/parity-bit)
- [Homomorphic case changing on Ascii string](https://docs.zama.org/tfhe-rs/tutorials/ascii-fhe-string)
- [Boolean SHA256 with TFHE-rs](https://www.zama.org/post/boolean-sha256-tfhe-rs)
- [Dark market with TFHE-rs](https://www.zama.org/post/dark-market-tfhe-rs)
- [Regular expression engine with TFHE-rs](https://www.zama.org/post/regex-engine-tfhe-rs)
+- [[Video tutorial] Implement signed integers using TFHE-rs ](https://www.zama.ai/post/video-tutorial-implement-signed-integers-sing-tfhe-rs)
+- [Homomorphic parity bit](https://docs.zama.ai/tfhe-rs/tutorials/parity-bit)
+- [Homomorphic case changing on Ascii string](https://docs.zama.ai/tfhe-rs/tutorials/ascii-fhe-string)
+- [Boolean SHA256 with TFHE-rs](https://www.zama.ai/post/boolean-sha256-tfhe-rs)
+- [Dark market with TFHE-rs](https://www.zama.ai/post/dark-market-tfhe-rs)
+- [Regular expression engine with TFHE-rs](https://www.zama.ai/post/regex-engine-tfhe-rs)

-*Explore more useful resources in [TFHE-rs tutorials](https://docs.zama.org/tfhe-rs/tutorials) and [Awesome Zama repo](https://github.com/zama-ai/awesome-zama)*
+*Explore more useful resources in [TFHE-rs tutorials](https://docs.zama.ai/tfhe-rs/tutorials) and [Awesome Zama repo](https://github.com/zama-ai/awesome-zama)*
 <br></br>
 ### Documentation

-Full, comprehensive documentation is available here: [https://docs.zama.org/tfhe-rs](https://docs.zama.org/tfhe-rs).
+Full, comprehensive documentation is available here: [https://docs.zama.ai/tfhe-rs](https://docs.zama.ai/tfhe-rs).
 <p align="right">
  <a href="#about" > ↑ Back to top </a>
 </p>
@@ -202,7 +202,7 @@ When a new update is published in the Lattice Estimator, we update parameters ac
 ### Security model

 By default, the parameter sets used in the High-Level API have a failure probability $\le 2^{-128}$ to securely work in the IND-CPA^D model using the algorithmic techniques provided in our code base [1].
-If you want to work within the IND-CPA security model, which is less strict than the IND-CPA-D model, the parameter sets can easily be changed and would have slightly better performance. More details can be found in the [TFHE-rs documentation](https://docs.zama.org/tfhe-rs).
+If you want to work within the IND-CPA security model, which is less strict than the IND-CPA-D model, the parameter sets can easily be changed and would have slightly better performance. More details can be found in the [TFHE-rs documentation](https://docs.zama.ai/tfhe-rs).

 [1] Bernard, Olivier, et al. "Drifting Towards Better Error Probabilities in Fully Homomorphic Encryption Schemes". https://eprint.iacr.org/2024/1718.pdf

@@ -231,7 +231,7 @@ To cite TFHE-rs in academic papers, please use the following entry:
 There are two ways to contribute to TFHE-rs:

 - [Open issues](https://github.com/zama-ai/tfhe-rs/issues/new/choose) to report bugs and typos, or to suggest new ideas
- Request to become an official contributor by emailing [hello@zama.org](mailto:hello@zama.org).
+- Request to become an official contributor by emailing [hello@zama.ai](mailto:hello@zama.ai).

 Becoming an approved contributor involves signing our Contributor License Agreement (CLA). Only approved contributors can send pull requests, so please make sure to get in touch before you do!
 <br></br>
@@ -243,16 +243,16 @@ This software is distributed under the **BSD-3-Clause-Clear** license. Read [thi
 **Is Zama’s technology free to use?**
 >Zama’s libraries are free to use under the BSD 3-Clause Clear license only for development, research, prototyping, and experimentation purposes. However, for any commercial use of Zama's open source code, companies must purchase Zama’s commercial patent license.
 >
->Everything we do is open source and we are very transparent on what it means for our users, you can read more about how we monetize our open source products at Zama in [this blogpost](https://www.zama.org/post/open-source).
+>Everything we do is open source and we are very transparent on what it means for our users, you can read more about how we monetize our open source products at Zama in [this blogpost](https://www.zama.ai/post/open-source).

 **What do I need to do if I want to use Zama’s technology for commercial purposes?**
->To commercially use Zama’s technology you need to be granted Zama’s patent license. Please contact us hello@zama.org for more information.
+>To commercially use Zama’s technology you need to be granted Zama’s patent license. Please contact us hello@zama.ai for more information.

 **Do you file IP on your technology?**
 >Yes, all Zama’s technologies are patented.

 **Can you customize a solution for my specific use case?**
->We are open to collaborating and advancing the FHE space with our partners. If you have specific needs, please email us at hello@zama.org.
+>We are open to collaborating and advancing the FHE space with our partners. If you have specific needs, please email us at hello@zama.ai.

 <p align="right">
  <a href="#about" > ↑ Back to top </a>
@@ -261,7 +261,7 @@ This software is distributed under the **BSD-3-Clause-Clear** license. Read [thi

 ## Support

-<a target="_blank" href="https://community.zama.org">
+<a target="_blank" href="https://community.zama.ai">
 <picture>
  <source media="(prefers-color-scheme: dark)" srcset="https://github.com/zama-ai/tfhe-rs/assets/157474013/08656d0a-3f44-4126-b8b6-8c601dff5380">
  <source media="(prefers-color-scheme: light)" srcset="https://github.com/zama-ai/tfhe-rs/assets/157474013/1c9c9308-50ac-4aab-a4b9-469bb8c536a4">
--- a/_typos.toml
+++ b/_typos.toml
@@ -15,3 +15,12 @@ extend-ignore-identifiers-re = [
    "0x[0-9a-fA-F]+",
    "xrt_coreutil",
 ]
+
+[files]
+extend-exclude = [
+    "backends/tfhe-cuda-backend/cuda/src/fft128/twiddles.cu",
+    "backends/tfhe-cuda-backend/cuda/src/fft/twiddles.cu",
+    "backends/tfhe-hpu-backend/config_store/**/*.link_summary",
+    "*.cbor",
+    "*.bcode",
+]
--- a/apps/princev2/Cargo.toml
+++ b/apps/princev2/Cargo.toml
@@ -1,23 +0,0 @@
-[package]
-name = "tfhe-princev2"
-version = "0.1.0"
-edition = "2021"
-
-[dependencies]
-rayon = "1.11.0"
-tfhe = { path = "../../tfhe", features = ["shortint"] }
-
-[dev-dependencies]
-criterion = "0.5.1"
-
-[features]
-verbose-timings = []
-
-[profile.release]
-lto = "fat"
-opt-level = 3
-codegen-units = 1
-
-[[bench]]
-name = "princev2"
-harness = false
--- a/apps/princev2/README.md
+++ b/apps/princev2/README.md
@@ -1,79 +0,0 @@
-# FHE implementation of PRINCEv2 using TFHE-rs
-
-This crate implements homomorphic encryption and decryption of the PRINCEv2 block cipher [BEK+20] using TFHE-rs's shortint API. It takes FHE ciphertexts representing the plaintext (resp. ciphertext) block and the two halves of the PRINCEv2 key and produces FHE ciphertexts of the encrypted (resp. decrypted) block.
-
-Inputs and outputs encrypt 64-bit integers that are represented as vectors of 2-bit nibbles, most significant nibble first, stacked in the lower part of the FHE message space of each ciphertext.
-
-The cipher itself (a succession of S-box, Linear, Permutation, Xor layers) is evaluated under FHE using the `shortint` API, systematically operating on 4-bit lookup tables. More details on the FHE design can be found in [BJ26, Section 6].
-
-## References
-
-PRINCEv2 is specified in:
-> [BEK+20] Dusan Božilov, Maria Eichlseder, Miroslav Kneževic, Baptiste Lambin, Gregor Leander, Thorben Moos, Ventzislav Nikov, Shahram Rasoolzadeh, Yosuke Todo, and Friedrich Wiemer. *PRINCEv2: More security for (almost) no overhead.* In Selected Areas in Cryptography (SAC 2020), volume 12804 of LNCS, pp.483--511, Springer, 2020. DOI:10.1007/978-3-030-81652-0_19.
-
-Test vectors are those of Appendix B of the paper.
-
-More details on the FHE implementation design can be found in Section 6 of:
-> [BJ26] Olivier Bernard and Marc Joye. *Hash function constructions from lightweight block ciphers for fully homomorphic encryption*. Cryptology ePrint Archive, ePrint:2026/309, 2026.
-
-## Layout
-
- `src/u64_conv.rs` — plaintext-side conversions between `u64` and the 32-element 2-bit-nibble vectors used on the FHE side; it exposes `u64_to_vec_u2` and `vec_u2_to_u64` as part of the encoding contract for the underlying plaintexts of the inputs and outputs.
- `src/permute.rs` — generic permutation helper over ciphertext arrays.
- `src/pv2_lut.rs` — precomputed S-box, inverse S-box, M-layer and round-constant lookup tables.
- `src/pv2_cipher.rs` — the homomorphic round functions and the public `pv2_encrypt` / `pv2_decrypt` entry points.
- `tests/pv2_kat.rs` — known-answer tests against the paper vectors.
- `benches/princev2.rs` — benchmarks for a full call of `pv2_encrypt` (`pv2_decrypt` has exactly the same performance characteristics).
-
-## Usage
-
-```rust,no_run
-use tfhe::shortint::parameters::PARAM_MESSAGE_2_CARRY_2_KS_PBS_GAUSSIAN_2M128;
-use tfhe::shortint::prelude::*;
-use tfhe_princev2::{pv2_encrypt, u64_to_vec_u2, vec_u2_to_u64};
-
-let (s_key, ev_key) = tfhe::shortint::gen_keys(PARAM_MESSAGE_2_CARRY_2_KS_PBS_GAUSSIAN_2M128);
-
-let encode = |x: u64| -> [Ciphertext; 32] {
-    let nibbles = u64_to_vec_u2(x);
-    let v: Vec<_> = nibbles.into_iter().map(|n| s_key.encrypt(n as u64)).collect();
-    v.try_into().unwrap()
-};
-
-let ct_m  = encode(0x0123456789abcdef);
-let ct_k0 = encode(0x0123456789abcdef);
-let ct_k1 = encode(0xfedcba9876543210);
-
-let mut ct_out: [Ciphertext; 32] = std::array::from_fn(|_| ev_key.create_trivial(0));
-pv2_encrypt(&ev_key, &mut ct_out, &ct_m, &ct_k0, &ct_k1);
-
-let out_nibbles: [u8; 32] =
-    std::array::from_fn(|i| s_key.decrypt_message_and_carry(&ct_out[i]) as u8);
-assert_eq!(vec_u2_to_u64(out_nibbles), 0x603cd95fa72a8704);
-```
-
-## Running tests
-
-```bash
-RAYON_NUM_THREADS=64 cargo test --release --test pv2_kat -- --test-threads=1
-```
-
-Each KAT should take approximately 5 seconds (resp. 800ms) on 8 cores (resp. 64 cores) on an Amazon AWS hpc7a.96xlarge machine. There are currently 10 KATs (5 for encryption and same for decryption). Optimal timings depend on the hardware but will be structurally better using a number of threads which is a power of 2 up to 64; the best possible latency is obtained through 64 individual threads.
-
-
-## Optional verbose timings
-
-```bash
-RAYON_NUM_THREADS=64 cargo test --release --test pv2_kat --features verbose-timings -- --test-threads=1 --nocapture
-```
-
-This times each internal round function call and emits one `eprintln!` per such call.
-
-
-## Running benchmarks
-
-```bash
-RAYON_NUM_THREADS=64 cargo bench --bench princev2
-```
-
-Timings obtained on up to 64 cores of an `Amazon AWS hpc7a.96xlarge` machine can also be found in [BJ26, Table 6.1].
--- a/apps/princev2/benches/princev2.rs
+++ b/apps/princev2/benches/princev2.rs
@@ -1,86 +0,0 @@
-//! Benchmarks for homomorphic PRINCEv2 encryption (and decryption)
-//!
-//! Times one full call of `pv2_encrypt`, i.e., transciphering one block of 64 bits.
-//! Note that decryption `pv2_decrypt` follows exactly the same logic as encryption with different
-//! constants, hence it is not benched separately.
-
-use criterion::{criterion_group, criterion_main, Criterion};
-
-use tfhe::shortint::parameters::PARAM_MESSAGE_2_CARRY_2_KS_PBS_GAUSSIAN_2M128;
-use tfhe::shortint::prelude::*;
-
-use tfhe_princev2::{pv2_encrypt, u64_to_vec_u2, vec_u2_to_u64};
-
-// [NB] We don't expect pv2_decrypt() to behave differently from pv2_encrypt()
-criterion_group!(pv2_benches, bench_pv2_encrypt);
-criterion_main!(pv2_benches);
-
-// KAT structure for Pv2 cipher
-struct Pv2Kat {
-    name: &'static str,
-    ptxt: u64,
-    k0: u64,
-    k1: u64,
-    ctxt: u64,
-}
-
-static PV2_KAT_LN2: Pv2Kat = Pv2Kat {
-    // ptxt, k0, k1 are the first three u64 words of ln(2) fractional part.
-    // ctxt was computed with the Sagemaths reference implementation and cross-checked here.
-    name: "PRINCEv2 KAT from ln(2)",
-    ptxt: 0xb17217f7d1cf79ab,
-    k0: 0xc9e3b39803f2f6af,
-    k1: 0x40f343267298b62d,
-    ctxt: 0x40ac916b4598216d,
-};
-
-/// Encrypt a u64 as 32 ciphertexts, each holding a 2-bit nibble in the low bits of the FHE message
-/// space. Most significant bits of the input are at index 0 in the output
-fn encrypt_u64_as_vec_u2l(s_key: &ClientKey, x: u64) -> [Ciphertext; 32] {
-    let x_u2: [u8; 32] = u64_to_vec_u2(x);
-    let ct: Vec<Ciphertext> = x_u2
-        .into_iter()
-        .map(|u2| s_key.encrypt(u2 as u64))
-        .collect();
-    ct.try_into().unwrap()
-}
-
-/// Reverse of function encrypt_u64_as_vec_u2l()
-fn decrypt_vec_u2l_as_u64(s_key: &ClientKey, v: &[Ciphertext; 32]) -> u64 {
-    let x_u2: [u8; 32] = std::array::from_fn(|n| s_key.decrypt_message_and_carry(&v[n]) as u8);
-    let x: u64 = vec_u2_to_u64(x_u2);
-    x
-}
-
-/// Run benches for PRINCEv2 transciphering.
-fn bench_pv2_encrypt(c: &mut Criterion) {
-    let (s_key, ev_key): (ClientKey, ServerKey) = // Params: Need 4-bits msg + nu >= 4
-        tfhe::shortint::gen_keys(PARAM_MESSAGE_2_CARRY_2_KS_PBS_GAUSSIAN_2M128);
-
-    // Encryptions of inputs (k0,k1,m)
-    let ct_k0: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, PV2_KAT_LN2.k0);
-    let ct_k1: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, PV2_KAT_LN2.k1);
-    let ct_m: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, PV2_KAT_LN2.ptxt);
-
-    // PRINCEv2 Enc in FHE
-    let mut ct_out: [Ciphertext; 32] = std::array::from_fn(|_| ev_key.create_trivial(0)); // [NB] shortint::create_trivial() vs boolean::trivial_encrypt()
-    c.bench_function("PRINCEv2 Trans-Encryption of one message block", |b| {
-        b.iter(|| {
-            pv2_encrypt(&ev_key, &mut ct_out, &ct_m, &ct_k0, &ct_k1);
-        });
-    });
-
-    // Testing the (de-)encrypted result
-    let pt_out: u64 = decrypt_vec_u2l_as_u64(&s_key, &ct_out);
-    assert_eq!(
-        pt_out,
-        PV2_KAT_LN2.ctxt,
-        "{} failed: ptxt={:#018x}, k0={:#018x}, k1={:#018x}, expected={:#018x}, got={:#018x}",
-        PV2_KAT_LN2.name,
-        PV2_KAT_LN2.ptxt,
-        PV2_KAT_LN2.k0,
-        PV2_KAT_LN2.k1,
-        PV2_KAT_LN2.ctxt,
-        pt_out
-    );
-}
--- a/apps/princev2/src/lib.rs
+++ b/apps/princev2/src/lib.rs
@@ -1,9 +0,0 @@
-// Pure Rust Helpers
-mod u64_conv;
-pub use u64_conv::{u64_to_vec_u2, vec_u2_to_u64}; // For tests, part of the encoding contract for pv2_encrypt()/pv2_decrypt()
-mod permute;
-
-// Cipher internals: pre-computed constants, s-box and perms
-mod pv2_cipher;
-mod pv2_lut;
-pub use pv2_cipher::{pv2_decrypt, pv2_encrypt};
--- a/apps/princev2/src/permute.rs
+++ b/apps/princev2/src/permute.rs
@@ -1,68 +0,0 @@
-/*
- * Apply Permutations on arrays
- * --------------------------------------------------------------------------------------------- */
-
-pub fn apply_perm_assign<T>(list: &mut [T], order: &[usize]) {
-    assert_eq!(list.len(), order.len());
-    let n: usize = order.len();
-    let mut done: Vec<bool> = vec![false; n];
-
-    for i in 0..n {
-        // Do not cycle multiple times
-        if done[i] {
-            continue;
-        }
-        let mut from = i;
-        let mut to = order[i];
-
-        // Cycle always of length < n
-        while to != i {
-            list.swap(from, to);
-            done[from] = true;
-            from = to;
-            to = order[to];
-        }
-        done[from] = true;
-    }
-}
-
-#[test]
-fn test_apply_perm_assign() {
-    let perm: [usize; 16] = [
-        0x0, 0x5, 0xa, 0xf, 0x4, 0x9, 0xe, 0x3, 0x8, 0xd, 0x2, 0x7, 0xc, 0x1, 0x6, 0xb,
-    ];
-    let mut list: [u8; 16] = [
-        0x8, 0x3, 0x2, 0xb, 0xd, 0x4, 0x6, 0xf, 0x1, 0x0, 0x8, 0xe, 0x7, 0x8, 0x5, 0x7,
-    ];
-    let exp_res: [u8; 16] = [
-        0x8, 0x4, 0x8, 0x7, 0xd, 0x0, 0x5, 0xb, 0x1, 0x8, 0x2, 0xf, 0x7, 0x3, 0x6, 0xe,
-    ];
-
-    apply_perm_assign(&mut list, &perm);
-    assert_eq!(exp_res, list);
-
-    #[rustfmt::skip]
-    let perm: [usize; 64] = [ // FHE_MP_PERM_FW
-        0x00, 0x05, 0x0a, 0x0f, 0x12, 0x17, 0x18, 0x1d, 0x21, 0x26, 0x2b, 0x2c, 0x31, 0x36, 0x3b, 0x3c,
-        0x13, 0x14, 0x19, 0x1e, 0x22, 0x27, 0x28, 0x2d, 0x32, 0x37, 0x38, 0x3d, 0x01, 0x06, 0x0b, 0x0c,
-        0x23, 0x24, 0x29, 0x2e, 0x33, 0x34, 0x39, 0x3e, 0x02, 0x07, 0x08, 0x0d, 0x10, 0x15, 0x1a, 0x1f,
-        0x30, 0x35, 0x3a, 0x3f, 0x03, 0x04, 0x09, 0x0e, 0x11, 0x16, 0x1b, 0x1c, 0x20, 0x25, 0x2a, 0x2f,
-    ];
-    #[rustfmt::skip]
-    let mut list: [u8; 64] = [ // Random
-        0xc2, 0x0d, 0x97, 0xd6, 0xb0, 0x79, 0x1b, 0x43, 0xcd, 0x03, 0x33, 0xfe, 0x4b, 0x1c, 0x7f, 0xa9,
-        0xc0, 0xc2, 0xa7, 0x17, 0x88, 0xbf, 0xa6, 0x49, 0x5d, 0xcd, 0x11, 0xee, 0xdc, 0xc4, 0x17, 0x90,
-        0x12, 0x7e, 0x0d, 0xb0, 0x1f, 0x58, 0xf5, 0xf4, 0x9f, 0xcc, 0xdd, 0xca, 0x49, 0x5a, 0x0e, 0xd2,
-        0xf6, 0x37, 0xe9, 0x40, 0x6d, 0x56, 0x79, 0x53, 0xd6, 0x63, 0x6f, 0x8a, 0xf5, 0xaa, 0x5b, 0x08,
-    ];
-    #[rustfmt::skip]
-    let exp_res: [u8; 64] = [
-        0xc2, 0x79, 0x33, 0xa9, 0xa7, 0x49, 0x5d, 0xc4, 0x7e, 0xf5, 0xca, 0x49, 0x37, 0x79, 0x8a, 0xf5,
-        0x17, 0x88, 0xcd, 0x17, 0x0d, 0xf4, 0x9f, 0x5a, 0xe9, 0x53, 0xd6, 0xaa, 0x0d, 0x1b, 0xfe, 0x4b,
-        0xb0, 0x1f, 0xcc, 0x0e, 0x40, 0x6d, 0x63, 0x5b, 0x97, 0x43, 0xcd, 0x1c, 0xc0, 0xbf, 0x11, 0x90,
-        0xf6, 0x56, 0x6f, 0x08, 0xd6, 0xb0, 0x03, 0x7f, 0xc2, 0xa6, 0xee, 0xdc, 0x12, 0x58, 0xdd, 0xd2,
-    ];
-
-    apply_perm_assign(&mut list, &perm);
-    assert_eq!(exp_res, list);
-}
--- a/apps/princev2/src/pv2_cipher.rs
+++ b/apps/princev2/src/pv2_cipher.rs
@@ -1,537 +0,0 @@
-use rayon::prelude::*;
-use tfhe::shortint::prelude::*;
-
-use crate::permute; // permute/shuffle/swap arrays
-use crate::pv2_lut; // fhe luts and constants for prince v2
-
-/* Macro to monitor individual functions timings (feature related: "verbose-timings") */
-macro_rules! monitor {
-    ($fn:ident($( $a:expr ), *)) => {
-        #[cfg(feature = "verbose-timings")]
-        let t0 = std::time::Instant::now();
-        $fn($( $a), *);
-        #[cfg(feature = "verbose-timings")]
-        eprintln!("{}:\t{:.4?}", stringify!($fn), t0.elapsed())
-    }
-}
-
-/* out_u4 = (in_u2q xor ct_k) as vec_u4
- * [Parallel:(32)/32/(16)] XOR stage -> u4 */
-fn pv2_xor_to_u4(
-    ev_key: &ServerKey,
-    out_u4: &mut [Ciphertext; 16],
-    in_u2q: &[Ciphertext; 32],
-    ct_k: &[Ciphertext; 32],
-) {
-    // xor alternatively to pair of high/low bits
-    let zlut_xor_fw = [
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_FW[0][x as usize] as u64),
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_FW[1][x as usize] as u64),
-    ];
-
-    /* "Bivariate" xor ------------------------------------------------------------------
-     * Sum in_u2q + ct_k, apply xor LUT to high or low bit */
-    /* [Sequential]
-    let mut ct_hl: [Ciphertext; 32] = std::array::from_fn(|n| ev_key.unchecked_add(&in_u2q[n], &ct_k[n]));
-    for n in 0..32 {
-        ev_key.apply_lookup_table_assign(&mut ct_hl[n], &zlut_xor_fw[n & 0x1]);
-    }
-    // */
-    //* [Parallel:32]
-    let ct_hl: [Ciphertext; 32] = (0..32)
-        .into_par_iter()
-        .map(|n| {
-            let both_n: Ciphertext = ev_key.unchecked_add(&in_u2q[n], &ct_k[n]);
-            ev_key.apply_lookup_table(&both_n, &zlut_xor_fw[n & 0x1]) // Combined version faster?
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap();
-    // */
-    // [Parallel:16] Sum by pairs
-    /* (*out_u4) = (0..16).into_par_iter().map(|w| {
-        ev_key.unchecked_add(&ct_hl[2*w], &ct_hl[2*w+1])
-    }).collect::<Vec<_>>().try_into().unwrap();*/
-    for w in 0..16 {
-        out_u4[w] = ev_key.unchecked_add(&ct_hl[2 * w], &ct_hl[2 * w + 1]);
-    }
-}
-
-/* out_b = (in_u2q xor ct_k) as vec_b
- * [Parallel:(32)/64] -> drifted bits */
-fn pv2_xor_to_b(
-    ev_key: &ServerKey,
-    out_b: &mut [Ciphertext; 64],
-    in_u2q: &[Ciphertext; 32],
-    ct_k: &[Ciphertext; 32],
-) {
-    let zlut_xor_bh = [
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_BH[0][x as usize] as u64),
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_BH[1][x as usize] as u64),
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_BH[2][x as usize] as u64),
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_BH[3][x as usize] as u64),
-    ];
-    let zlut_xor_bl = [
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_BL[0][x as usize] as u64),
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_BL[1][x as usize] as u64),
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_BL[2][x as usize] as u64),
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_BL[3][x as usize] as u64),
-    ];
-
-    // [Parallel:32] Sum in_u2q + ct_k --> could stay as iter? and assign in the following loop
-    let ct_hl: [Ciphertext; 32] =
-        std::array::from_fn(|n| ev_key.unchecked_add(&in_u2q[n], &ct_k[n]));
-
-    // Apply xor (incl. bit_extract) luts on each nibble
-    /* [Sequential]
-    for w in 0..16 {
-        let b_pos    = w & 0x3; // w mod 4 (b_pos:0123_b, so b_pos=0 is for (b << 3))
-        out_b[4*w]   = ev_key.apply_lookup_table(&ct_hl[2*w],   &zlut_xor_bh[b_pos]);
-        out_b[4*w+1] = ev_key.apply_lookup_table(&ct_hl[2*w],   &zlut_xor_bl[b_pos]);
-        out_b[4*w+2] = ev_key.apply_lookup_table(&ct_hl[2*w+1], &zlut_xor_bh[b_pos]);
-        out_b[4*w+3] = ev_key.apply_lookup_table(&ct_hl[2*w+1], &zlut_xor_bl[b_pos]);
-    } // */
-    //* [Parallel:64] Apply xor (incl. bit_extract) luts on each nibble
-    (*out_b) = (0..64)
-        .into_par_iter()
-        .map(|idx| {
-            let n: usize = idx >> 1; // 2*w or 2*w+1
-            let w: usize = idx >> 2;
-            let b_pos: usize = w & 0x3;
-            let zlut_bhl_pos = if (idx & 0x1) == 1 {
-                &zlut_xor_bl[b_pos]
-            } else {
-                &zlut_xor_bh[b_pos]
-            };
-            ev_key.apply_lookup_table(&ct_hl[n], zlut_bhl_pos)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap(); // */
-}
-
-// [Parallel:(32)/32]
-fn pv2_xor_to_u2(
-    ev_key: &ServerKey,
-    out_u2: &mut [Ciphertext; 32],
-    in_u2q: &[Ciphertext; 32],
-    ct_k: &[Ciphertext; 32],
-) {
-    let zlut_xor =
-        ev_key.generate_lookup_table(|x: u64| pv2_lut::PV2_XOR_TO_LOW[x as usize] as u64);
-
-    /* [Sequential]
-    for n in 0..32 {
-        out_u2[n] = ev_key.unchecked_add(&in_u2q[n], &ct_k[n]);
-        ev_key.apply_lookup_table_assign(&mut out_u2[n], &zlut_xor);
-    } // */
-    // [Parallel:32] Apply xor luts on each nibble
-    //* [Parallel:32]
-    (*out_u2) = (0..32)
-        .into_par_iter()
-        .map(|n| {
-            let both_n: Ciphertext = ev_key.unchecked_add(&in_u2q[n], &ct_k[n]);
-            ev_key.apply_lookup_table(&both_n, &zlut_xor)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap(); // */
-}
-
-// [Parallel:64/(32/16)/64/(32)] Fw Round
-// Forward round receives full 4-bit nibbles (16) and returns 2-bit nibbles (32) packed on high bits
-fn pv2_fw_round(
-    ev_key: &ServerKey,
-    out_u2q: &mut [Ciphertext; 32], // out: 2-bits (high)
-    in_u4: &[Ciphertext; 16],       // in:  4-bits (full)
-    zlut: &[[u8; 16]; 16],
-) {
-    /* S-Boxes ------------------------------------------------------------------------------------
-     * . each 4-bit nibbles requires 4 applications of (same LUT + Bit extraction)
-     * . extracted bits for word w go at position 3-w mod 4 (w=0 --> b000, w=1 --> 0b00, etc) */
-    /* [Sequential]
-    let mut ct_tmp: [Ciphertext; 64] = std::array::from_fn(|_| ev_key.create_trivial(0));
-    for w in 0..16 {
-        for b in 0..4 { // use apply_many_lookup_tables ?
-            let zlut_b = ev_key.generate_lookup_table(
-                |x:u64| (((zlut[w][x as usize] >> (3-b)) & 0x1) << ((3-w) % 4)) as u64
-            );
-            ct_tmp[b + 4*w] = ev_key.apply_lookup_table(&in_u4[w], &zlut_b);
-        }
-    } // */
-    /* [Sequential::array]
-    let mut ct_tmp: [Ciphertext; 64] = std::array::from_fn(|idx| {
-        let w: usize = idx >> 2;
-        let b: usize = idx & 0x3;
-        let zlut_b = ev_key.generate_lookup_table(
-            |x:u64| (((zlut[w][x as usize] >> (3-b)) & 0x1) << ((3-w) % 4)) as u64
-        );
-        ev_key.apply_lookup_table(&in_u4[w], &zlut_b) // ct_tmp[idx]
-    }); // */
-    //* [Parallel:64]
-    let ct_tmp: [Ciphertext; 64] = (0..64)
-        .into_par_iter()
-        .map(|idx| {
-            // idx = 4*w + b
-            let w: usize = idx >> 2;
-            let b: usize = idx & 0x3;
-            let zlut_b = ev_key.generate_lookup_table(|x: u64| {
-                // [Nb] w=0..15
-                (((zlut[w][x as usize] >> (3 - b)) & 0x1) << (3 - (w % 4))) as u64
-            });
-            ev_key.apply_lookup_table(&in_u4[w], &zlut_b)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap();
-    // */
-    /* Bridging Sbox --> MLayer ----------------------------------------------------------
-     * So as to obtain 4-bit enc nibbles with: 048c, 159d, etc */
-    // TODO(?): [Parallel:32/16]
-    for w in 0..16 {
-        // this uses u2q for some u4 ahead of time (as temporary holder)
-        let oo: usize = 16 * (w / 4) + (w % 4);
-        out_u2q[w] = ev_key.unchecked_add(&ct_tmp[oo], &ct_tmp[oo + 4]);
-        out_u2q[w + 1] = ev_key.unchecked_add(&ct_tmp[oo + 8], &ct_tmp[oo + 12]);
-        out_u2q[w] = ev_key.unchecked_add(&out_u2q[w], &out_u2q[w + 1]);
-    }
-
-    /* M-layer: Apply exor matrices ------------------------------------------------------ */
-    /* [Sequential]
-    for w in 0..16 {
-        for b in 0..4 {
-            let zlut_ex = ev_key.generate_lookup_table(
-                |x:u64| pv2_lut::PV2_EXOR_FW[w % 2][b][x as usize] as u64
-            );
-            ct_tmp[b + 4*w] = ev_key.apply_lookup_table(&out_u2q[w], &zlut_ex);
-        }
-    } // */
-    //* [Parallel:64]
-    let mut ct_tmp: [Ciphertext; 64] = (0..64)
-        .into_par_iter()
-        .map(|idx| {
-            // idx = 4*w + b
-            let w: usize = idx >> 2;
-            let b: usize = idx & 0x3;
-            let zlut_ex = ev_key
-                .generate_lookup_table(|x: u64| pv2_lut::PV2_EXOR_FW[w % 2][b][x as usize] as u64);
-            ev_key.apply_lookup_table(&out_u2q[w], &zlut_ex)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap(); // */
-                   // Apply Fhe Perm permutation + Permutation Layer
-                   // --> Directly assign correctly in above loop? as ct_tmp[INV_FHE_MP_PERM_FW[b + 4*w]] = ...
-    permute::apply_perm_assign(&mut ct_tmp, &pv2_lut::FHE_MP_PERM_FW);
-
-    /* Bridging M-Layer --> Xor --------------------------------------------------------- */
-    // [Parallel:32] Combine pairs
-    for n in 0..32 {
-        out_u2q[n] = ev_key.unchecked_add(&ct_tmp[2 * n], &ct_tmp[2 * n + 1]);
-    }
-}
-
-// [Parallel:64/(32)/64/(32/16)/64/(32)/32/(32/16)/32]
-fn pv2_mid_round(
-    ev_key: &ServerKey,
-    out_u2q: &mut [Ciphertext; 32], // out: 2-bits (high)
-    in_u4: &[Ciphertext; 16],       // in:  4-bits (full)
-    ct_k_fst: &[Ciphertext; 32],
-    ct_k_scd: &[Ciphertext; 32],
-    zlut_fst: &[[u8; 16]; 16],
-    zlut_scd: &[[u8; 16]; 16],
-) {
-    /* S-Boxes ------------------------------------------------------------------------------------
-     * /!\ output for xor */
-    /* [Sequential]
-    for w in 0..16 {
-        for b in 0..2 {
-            let zlut_u2q = ev_key.generate_lookup_table(
-                |x:u64| (((pv2_lut::PV2_5_S_M[w][x as usize] >> (2-2*b)) & 0x3) << 2) as u64
-            );
-            out_u2q[b + 2*w] = ev_key.apply_lookup_table(&in_u4[w], &zlut_u2q);
-        }
-    } // */
-    //* [Parallel:64]
-    (*out_u2q) = (0..32)
-        .into_par_iter()
-        .map(|n| {
-            let w: usize = n >> 1;
-            let b: usize = n & 0x1;
-            let zlut_u2q = ev_key.generate_lookup_table(|x: u64| {
-                (((zlut_fst[w][x as usize] >> (2 - 2 * b)) & 0x3) << 2) as u64
-            });
-            ev_key.apply_lookup_table(&in_u4[w], &zlut_u2q)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap(); // */
-                   /* XOR K0 [Parallel:(32)/64] --------------------------------------------------------- */
-    let mut ct_tmp_b: [Ciphertext; 64] = std::array::from_fn(|_| ev_key.create_trivial(0));
-    pv2_xor_to_b(ev_key, &mut ct_tmp_b, out_u2q, ct_k_fst);
-
-    /* Bridging to M-Layer --------------------------------------------------------------- */
-    // [Parallel:32/16] Comb sum (048c,...)
-    let mut ct_tmp_u4: [Ciphertext; 16] = std::array::from_fn(|_| ev_key.create_trivial(0));
-    for w in 0..16 {
-        // mm, use u2q for some u4 ahead of time
-        let oo: usize = 16 * (w / 4) + (w % 4);
-        out_u2q[w] = ev_key.unchecked_add(&ct_tmp_b[oo], &ct_tmp_b[oo + 4]);
-        out_u2q[w + 1] = ev_key.unchecked_add(&ct_tmp_b[oo + 8], &ct_tmp_b[oo + 12]);
-        ct_tmp_u4[w] = ev_key.unchecked_add(&out_u2q[w], &out_u2q[w + 1]);
-    }
-
-    /* M-layer: Apply exor matrices ------------------------------------------------------ */
-    /* [Sequential]
-    for w in 0..16 {
-        for b in 0..4 {
-            let zlut_ex = ev_key.generate_lookup_table(
-                |x:u64| pv2_lut::PV2_EXOR_FW[w % 2][b][x as usize] as u64
-            );
-            ct_tmp_b[b + 4*w] = ev_key.apply_lookup_table(&ct_tmp_u4[w], &zlut_ex);
-        }
-    } // */
-    //* [Parallel:64]
-    ct_tmp_b = (0..64)
-        .into_par_iter()
-        .map(|idx| {
-            // idx = 4*w + b
-            let w: usize = idx >> 2;
-            let b: usize = idx & 0x3;
-            let zlut_ex = ev_key
-                .generate_lookup_table(|x: u64| pv2_lut::PV2_EXOR_FW[w % 2][b][x as usize] as u64);
-            ev_key.apply_lookup_table(&ct_tmp_u4[w], &zlut_ex)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap();
-    // */
-    // Apply Fhe Perm permutation
-    permute::apply_perm_assign(&mut ct_tmp_b, &pv2_lut::FHE_M_PERM);
-
-    /* Bridging M-Layer --> Xor --------------------------------------------------------- */
-    // [Parallel:32] Combine pairs
-    for n in 0..32 {
-        out_u2q[n] = ev_key.unchecked_add(&ct_tmp_b[2 * n], &ct_tmp_b[2 * n + 1]);
-    }
-
-    /* XOR k1 [Parallel:(32)/32/(16)] --------------------------------------------------- */
-    pv2_xor_to_u4(ev_key, &mut ct_tmp_u4, out_u2q, ct_k_scd);
-
-    /* S-Boxes ------------------------------------------------------------------------------------
-     * . output 2,2 bits on position (32)00 */
-    /* [Sequential]
-    for w in 0..16 {
-        for b in 0..2 {
-            let zlut_u2q = ev_key.generate_lookup_table(
-                |x:u64| (((pv2_lut::PV2_0_IS_0[w][x as usize] >> (2-2*b)) & 0x3) << 2) as u64
-            );
-            out_u2q[b + 2*w] = ev_key.apply_lookup_table(&ct_tmp_u4[w], &zlut_u2q);
-        }
-    }
-    // */
-    //* [Parallel:32]
-    (*out_u2q) = (0..32)
-        .into_par_iter()
-        .map(|n| {
-            let w: usize = n >> 1;
-            let b: usize = n & 0x1;
-            let zlut_u2q = ev_key.generate_lookup_table(|x: u64| {
-                (((zlut_scd[w][x as usize] >> (2 - 2 * b)) & 0x3) << 2) as u64
-            });
-            ev_key.apply_lookup_table(&ct_tmp_u4[w], &zlut_u2q)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap(); // */
-}
-
-// [Parallel:(32/16)/64/(32/16)/32]
-fn pv2_bw_round(
-    ev_key: &ServerKey,
-    out_u2q: &mut [Ciphertext; 32], // out: 2-bits (high)
-    in_b: &[Ciphertext; 64],        // in:  1-bits (<< w%4 = 333322221111000033...)
-    zlut: &[[u8; 16]; 16],
-) {
-    let mut ct_tmp_u4: [Ciphertext; 16] = std::array::from_fn(|_| ev_key.create_trivial(0)); // ...
-
-    // iPerm + M-Layer
-    // [Parallel:32/16] Combined iPerm + comb sum (048c,etc)
-    for w in 0..16 {
-        let idx: [usize; 4] =
-            std::array::from_fn(|b| (w & 0x3) + 4 * pv2_lut::IPERM[4 * (w >> 2) + b]);
-        out_u2q[2 * w] = ev_key.unchecked_add(&in_b[idx[0]], &in_b[idx[1]]);
-        out_u2q[2 * w + 1] = ev_key.unchecked_add(&in_b[idx[2]], &in_b[idx[3]]);
-        ct_tmp_u4[w] = ev_key.unchecked_add(&out_u2q[2 * w], &out_u2q[2 * w + 1]);
-    }
-
-    /* M-layer: Apply exor matrices ------------------------------------------------------ */
-    /* [Sequential]
-    let mut ct_tmp_b:  [Ciphertext; 64] = std::array::from_fn(|_| ev_key.create_trivial(0));
-    for w in 0..16 {
-        for b in 0..4 {
-            let zlut_ex = ev_key.generate_lookup_table(
-                |x:u64| pv2_lut::PV2_EXOR_BW[w % 4][b][x as usize] as u64
-            );
-            ct_tmp_b[b + 4*w] = ev_key.apply_lookup_table(&ct_tmp_u4[w], &zlut_ex);
-        }
-    } // */
-    //* [Parallel:64]
-    let mut ct_tmp_b: [Ciphertext; 64] = (0..64)
-        .into_par_iter()
-        .map(|idx| {
-            // idx = 4*w + b
-            let w: usize = idx >> 2;
-            let b: usize = idx & 0x3;
-            let zlut_ex = ev_key
-                .generate_lookup_table(|x: u64| pv2_lut::PV2_EXOR_BW[w % 4][b][x as usize] as u64);
-            ev_key.apply_lookup_table(&ct_tmp_u4[w], &zlut_ex)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap();
-    // */
-    // FHE Perm permutation
-    permute::apply_perm_assign(&mut ct_tmp_b, &pv2_lut::FHE_M_PERM);
-
-    /* Bridging MLayer --> SBox ----------------------------------------------------------- */
-    // [Parallel:32/16] Combine to u4 = sum[4*i:4*i+4] for i in range(16)
-    for w in 0..16 {
-        out_u2q[2 * w] = ev_key.unchecked_add(&ct_tmp_b[4 * w], &ct_tmp_b[4 * w + 1]);
-        out_u2q[2 * w + 1] = ev_key.unchecked_add(&ct_tmp_b[4 * w + 2], &ct_tmp_b[4 * w + 3]);
-        ct_tmp_u4[w] = ev_key.unchecked_add(&out_u2q[2 * w], &out_u2q[2 * w + 1]);
-    }
-
-    /* S-Boxes ------------------------------------------------------------------------------------
-     * . output 2,2 bits on position (32)00 */
-    /* [Sequential]
-    for w in 0..16 {
-        for b in 0..2 {
-            let zlut_u2q = ev_key.generate_lookup_table(
-                |x:u64| (((zlut[w][x as usize] >> (2-2*b)) & 0x3) << 2) as u64
-            );
-            out_u2q[b + 2*w] = ev_key.apply_lookup_table(&ct_tmp_u4[w], &zlut_u2q);
-        }
-    }
-    // */
-    //* [Parallel:32]
-    (*out_u2q) = (0..32)
-        .into_par_iter()
-        .map(|n| {
-            let w: usize = n >> 1;
-            let b: usize = n & 0x1;
-            let zlut_u2q = ev_key.generate_lookup_table(|x: u64| {
-                (((zlut[w][x as usize] >> (2 - 2 * b)) & 0x3) << 2) as u64
-            });
-            ev_key.apply_lookup_table(&ct_tmp_u4[w], &zlut_u2q)
-        })
-        .collect::<Vec<_>>()
-        .try_into()
-        .unwrap(); // */
-}
-
-/* Encryption -----------------------------------------------------------------------------------
- * (Whitening + Fw Rounds + Mid Round + Bw Rounds + Whitening)
- */
-
-#[rustfmt::skip] // [skip] Each of 22 monitor! calls get split on 5 lines which destroys readability
-pub fn pv2_encrypt(
-    ev_key: &ServerKey,
-    ct_enc: &mut [Ciphertext; 32],
-    ct_m: &[Ciphertext; 32],
-    ct_k0: &[Ciphertext; 32],
-    ct_k1: &[Ciphertext; 32],
-) {
-    // Work buffers: u4, u2q, b (depending on the inner nibbles format, u2q = u2 <<2)
-    let mut ct_u4: [Ciphertext; 16] = std::array::from_fn(|_| ev_key.create_trivial(0));
-    let mut ct_b: [Ciphertext; 64] = std::array::from_fn(|_| ev_key.create_trivial(0));
-    // [Parallel] + Init: ct_m << 2
-    let mut ct_u2q: [Ciphertext; 32] =
-        std::array::from_fn(|n| ev_key.unchecked_scalar_mul(&ct_m[n], 4));
-
-    // Whitening
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k0));
-    // Forward rounds
-    //*
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_0_S_0));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k1));
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_1_S_2));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k0));
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_0_S_0));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k1));
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_3_S_4));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k0));
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_0_S_0));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k1)); // */
-    // Middle round
-    //*
-    monitor!(pv2_mid_round(ev_key, &mut ct_u2q, &ct_u4,
-                           ct_k0, ct_k1, &pv2_lut::PV2_5_S_M, &pv2_lut::PV2_0_IS_0)); // */
-    // Backward rounds
-    //*
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k0));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_6_IS_7));
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k1));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_0_IS_0));
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k0));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_8_IS_9));
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k1));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_0_IS_0));
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k0));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_A_IS_B));
-    // Last Xor to u2l
-    monitor!(pv2_xor_to_u2(ev_key, ct_enc, &ct_u2q, ct_k1)); // */
-}
-
-/* Decryption -----------------------------------------------------------------------------------
- * Inverse of pv2_encrypt().
- */
-
-#[rustfmt::skip] // [skip] Each of 22 monitor! calls get split on 5 lines which destroys readability
-pub fn pv2_decrypt(
-    ev_key: &ServerKey,
-    ct_dec: &mut [Ciphertext; 32],
-    ct_c: &[Ciphertext; 32],
-    ct_k0: &[Ciphertext; 32],
-    ct_k1: &[Ciphertext; 32],
-) {
-    // Work buffers: u4, u2q, b (depending on the inner nibbles format, u2q = u2 <<2)
-    let mut ct_u4: [Ciphertext; 16] = std::array::from_fn(|_| ev_key.create_trivial(0));
-    let mut ct_b: [Ciphertext; 64] = std::array::from_fn(|_| ev_key.create_trivial(0));
-    // [Parallel] + Init: ct_m << 2
-    let mut ct_u2q: [Ciphertext; 32] =
-        std::array::from_fn(|n| ev_key.unchecked_scalar_mul(&ct_c[n], 4));
-
-    // Whitening
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k1));
-    // Forward rounds
-    //*
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_B_S_A));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k0));
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_0_S_0));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k1));
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_9_S_8));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k0));
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_0_S_0));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k1));
-    monitor!(pv2_fw_round(ev_key, &mut ct_u2q, &ct_u4, &pv2_lut::PV2_7_S_6));
-    monitor!(pv2_xor_to_u4(ev_key, &mut ct_u4, &ct_u2q, ct_k0)); // */
-    // Middle round
-    //*
-    monitor!(pv2_mid_round(ev_key, &mut ct_u2q, &ct_u4,
-                           ct_k1, ct_k0, &pv2_lut::PV2_0_S_0, &pv2_lut::PV2_M_IS_5)); // */
-    // Backward rounds
-    //*
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k1));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_0_IS_0));
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k0));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_4_IS_3));
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k1));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_0_IS_0));
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k0));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_2_IS_1));
-    monitor!(pv2_xor_to_b(ev_key, &mut ct_b, &ct_u2q, ct_k1));
-    monitor!(pv2_bw_round(ev_key, &mut ct_u2q, &ct_b, &pv2_lut::PV2_0_IS_0));
-    // Last Xor to u2l
-    monitor!(pv2_xor_to_u2(ev_key, ct_dec, &ct_u2q, ct_k0)); // */
-}
--- a/apps/princev2/src/pv2_lut.rs
+++ b/apps/princev2/src/pv2_lut.rs
@@ -1,331 +0,0 @@
-/*
- * Prince v2 constant definitions and Look-up tables for FHE
- * --------------------------------------------------------------------------------- */
-use crate::u64_conv;
-
-/* Permutations -------------------------------------------------------------------- */
-static PERM: [usize; 64 / 4] = [
-    // Prince permutation layer on nibbles
-    0x0, 0x5, 0xa, 0xf, 0x4, 0x9, 0xe, 0x3, 0x8, 0xd, 0x2, 0x7, 0xc, 0x1, 0x6, 0xb,
-];
-pub static IPERM: [usize; 64 / 4] = [
-    // Prince inverse permutation on nibbles
-    0x0, 0xd, 0xa, 0x7, 0x4, 0x1, 0xe, 0xb, 0x8, 0x5, 0x2, 0xf, 0xc, 0x9, 0x6, 0x3,
-];
-
-// Permutation to apply on 16-bits nibbles after M0 if computed as exor( 0123 )
-// ---> bits 0c84,51d9,a62e,fb73
-// ---> TODO: put Perm in cycle notation so as to use swaps
-// (u16 bits) 0123...def (as an array of bits from msb to lsb)
-static FHE_M0_PERM: [usize; 16] = [
-    0x0, 0x5, 0xa, 0xf, 0x3, 0x4, 0x9, 0xe, 0x2, 0x7, 0x8, 0xd, 0x1, 0x6, 0xb, 0xc,
-];
-
-// Permutation to apply on 16-bits nibbles after M1 if computed as exor( 0123 )
-// --> bits c840,1d95,62ea,b73f
-static FHE_M1_PERM: [usize; 16] = [
-    0x3, 0x4, 0x9, 0xe, 0x2, 0x7, 0x8, 0xd, 0x1, 0x6, 0xb, 0xc, 0x0, 0x5, 0xa, 0xf,
-];
-
-// Combined overall bits permutation: (p0 | p1 | p1 | p0) with indexes 0..63
-// FHE_M_PERM  = sum(( [_c + _n*16 for _c in _perm] for _n,_perm
-//                     in enumerate([FHE_M0_PERM,FHE_M1_PERM,FHE_M1_PERM,FHE_M0_PERM]) ), []);
-pub static FHE_M_PERM: [usize; 64] = {
-    let mut n: usize = 0;
-    let mut m_perm: [usize; 64] = [0; 64];
-
-    while n < 4 {
-        let mut p_idx: usize = 0;
-        while p_idx < 16 {
-            m_perm[p_idx + n * 16] = n * 16
-                + match n {
-                    0 | 3 => FHE_M0_PERM[p_idx],
-                    1 | 2 => FHE_M1_PERM[p_idx],
-                    _ => unreachable!(),
-                };
-            p_idx += 1;
-        }
-        n += 1;
-    }
-    m_perm
-};
-
-// Combined with Permutation layer (fw)
-// = [ fhe_M_Perm[ 4*Perm[_i >> 2] + (_i & 0x3) ] for _i in range(64) ]
-pub static FHE_MP_PERM_FW: [usize; 64] = {
-    let mut b: usize = 0;
-    let mut m_perm: [usize; 64] = [0; 64];
-
-    while b < 64 {
-        // Unnatural, but just to see the same structure as above
-        m_perm[b] = FHE_M_PERM[(PERM[b >> 2] << 2) + (b & 0x3)];
-        b += 1;
-    }
-    m_perm
-};
-
-/* Round constants ----------------------------------------------------------------- */
-const PRINCE_NRND: usize = 12; // Number of rounds (more precisely, nb of round constants / non-linear layers)
-
-static _RC_ALPHA: u64 = 0xc0ac29b7c97c50dd; // see paper about symmetry of RC
-static _RC_BETA: u64 = 0x3f84d5b5b5470917; // see paper about symmetry of RC_V2
-#[rustfmt::skip]
-static RC_V2: [u64; PRINCE_NRND] = [
-    0x0000000000000000, 0x13198a2e03707344, 0xa4093822299f31d0, 0x082efa98ec4e6c89,
-    0x452821e638d01377, 0xbe5466cf34e90c6c, 0x7ef84f78fd955cb1, 0x7aacf4538d971a60,
-    0xc882d32f25323c54, 0x9b8ded979cd838c7, 0xd3b5a399ca0c2399, 0x3f84d5b5b5470917,
-];
-#[rustfmt::skip]
-static RC_V2_IP_IM: [u64; PRINCE_NRND] = [ // iM . iP (RC) [from sage script]
-    0x0000000000000000, 0x90ecdeb7cb7fc1ce, 0x81b2cb20a82a2928, 0x480cdfa91d749037,
-    0xcb1a13467044d772, 0x9e8995b07a988c08, 0xe70338c395311a6a, 0x60dc22bf6e681c08,
-    0x318672daf2dd0655, 0x2a74fad9b606e252, 0xe96673c424d657ac, 0xabc631f91e2ccb7a,
-];
-static RC_BETA_IM: u64 = 0x42f93b79daa0eea5; // iM (RC_BETA) [from sage script]
-
-// Decomposed versions
-static ZRC_V2: [[u8; 64 / 4]; PRINCE_NRND] = array_u64_to_vec_u4(RC_V2);
-static ZRC_V2_IP_IM: [[u8; 64 / 4]; PRINCE_NRND] = array_u64_to_vec_u4(RC_V2_IP_IM);
-static ZRC_BETA_IM: [u8; 64 / 4] = u64_conv::u64_to_vec_u4(RC_BETA_IM);
-
-// Emulating map on const for u64_to_vec_u4
-pub const fn array_u64_to_vec_u4<const N: usize>(tab: [u64; N]) -> [[u8; 64 / 4]; N] {
-    let mut i: usize = 0;
-    let mut mat: [[u8; 64 / 4]; N] = [[0; 64 / 4]; N];
-
-    while i < N {
-        // for loop not allowed in const fn
-        mat[i] = u64_conv::u64_to_vec_u4(tab[i]);
-        i += 1;
-    }
-    mat
-}
-
-/* (inv)SBox and derivatives ------------------------------------------------------- */
-static PV2_S: [u8; 1 << 4] = [
-    // Forward SBox
-    0xb, 0xf, 0x3, 0x2, 0xa, 0xc, 0x9, 0x1, 0x6, 0x7, 0x8, 0x0, 0xe, 0x5, 0xd, 0x4,
-];
-static PV2_IS: [u8; 1 << 4] = [
-    // Backward SBox
-    0xb, 0x7, 0x3, 0x2, 0xf, 0xd, 0x8, 0x9, 0xa, 0x6, 0x4, 0x0, 0x5, 0xe, 0xc, 0x1,
-];
-
-// Combined RC+Sboxes for Encryption
-pub static PV2_0_S_0: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_S, [0_u8; 16], [0_u8; 16]); // Not ideal
-pub static PV2_1_S_2: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_S, ZRC_V2[1], ZRC_V2_IP_IM[2]);
-pub static PV2_3_S_4: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_S, ZRC_V2[3], ZRC_V2_IP_IM[4]);
-pub static PV2_5_S_M: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_S, ZRC_V2[5], ZRC_BETA_IM);
-pub static PV2_0_IS_0: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_IS, [0_u8; 16], [0_u8; 16]); // Not ideal
-pub static PV2_6_IS_7: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_IS, ZRC_V2_IP_IM[6], ZRC_V2[7]);
-pub static PV2_8_IS_9: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_IS, ZRC_V2_IP_IM[8], ZRC_V2[9]);
-pub static PV2_A_IS_B: [[u8; 1 << 4]; 64 / 4] =
-    build_zlut_xsy(PV2_IS, ZRC_V2_IP_IM[10], ZRC_V2[11]);
-
-// Additional RC+Sboxes for Decryption
-pub static PV2_B_S_A: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_S, ZRC_V2[11], ZRC_V2_IP_IM[10]);
-pub static PV2_9_S_8: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_S, ZRC_V2[9], ZRC_V2_IP_IM[8]);
-pub static PV2_7_S_6: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_S, ZRC_V2[7], ZRC_V2_IP_IM[6]);
-pub static PV2_M_IS_5: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_IS, ZRC_BETA_IM, ZRC_V2[5]);
-pub static PV2_4_IS_3: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_IS, ZRC_V2_IP_IM[4], ZRC_V2[3]);
-pub static PV2_2_IS_1: [[u8; 1 << 4]; 64 / 4] = build_zlut_xsy(PV2_IS, ZRC_V2_IP_IM[2], ZRC_V2[1]);
-
-// Build special LUTs: SBox( x ^ inner ) ^ outer, depending on word index
-const fn build_zlut_xsy(
-    sbox: [u8; 1 << 4],
-    xor_inner: [u8; 64 / 4],
-    xor_outer: [u8; 64 / 4],
-) -> [[u8; 1 << 4]; 64 / 4] {
-    let mut zlut_xsy: [[u8; 1 << 4]; 64 / 4] = [[0; 1 << 4]; 64 / 4];
-    let mut w: usize = 0;
-    while w < 64 / 4 {
-        // for loop not allowed in const fn
-        let mut x: usize = 0;
-        while x < (1 << 4) {
-            zlut_xsy[w][x] = sbox[((x as u8) ^ xor_inner[w]) as usize] ^ xor_outer[w];
-            x += 1;
-        }
-        w += 1;
-    }
-    zlut_xsy
-}
-
-#[test]
-fn test_build_xsy() {
-    #[rustfmt::skip]
-    let zlut_1s2: [[u8;16]; 16] = [
-        [0x7, 0x3, 0xa, 0xb, 0x4, 0x2, 0x9, 0x1, 0xf, 0xe, 0x8, 0x0, 0xd, 0x6, 0xc, 0x5],
-        [0x3, 0x2, 0xe, 0xa, 0x0, 0x8, 0xd, 0xb, 0x1, 0x9, 0x6, 0x7, 0x5, 0xc, 0x4, 0xf],
-        [0x4, 0x0, 0x9, 0x8, 0x7, 0x1, 0xa, 0x2, 0xc, 0xd, 0xb, 0x3, 0xe, 0x5, 0xf, 0x6],
-        [0x5, 0x4, 0x2, 0xa, 0x7, 0xc, 0x6, 0xf, 0xd, 0x9, 0x0, 0x1, 0xe, 0x8, 0x3, 0xb],
-        [0xa, 0xb, 0x4, 0xc, 0x2, 0x9, 0x1, 0x8, 0x7, 0x3, 0xf, 0xe, 0x6, 0x0, 0x5, 0xd],
-        [0x3, 0xb, 0xd, 0xc, 0x6, 0xf, 0x5, 0xe, 0x8, 0x9, 0x0, 0x4, 0x2, 0xa, 0x1, 0x7],
-        [0x1, 0x0, 0x9, 0xd, 0xb, 0x3, 0x8, 0xe, 0xa, 0x2, 0x4, 0x5, 0xf, 0x6, 0xc, 0x7],
-        [0xd, 0x4, 0xe, 0x5, 0x8, 0x0, 0x6, 0x7, 0x9, 0x1, 0xa, 0xc, 0x3, 0x2, 0xb, 0xf],
-        [0x1, 0x5, 0x9, 0x8, 0x0, 0x6, 0x3, 0xb, 0xc, 0xd, 0x2, 0xa, 0x4, 0xf, 0x7, 0xe],
-        [0xa, 0xb, 0x7, 0x3, 0x9, 0x1, 0x4, 0x2, 0x8, 0x0, 0xf, 0xe, 0xc, 0x5, 0xd, 0x6],
-        [0x3, 0xb, 0xe, 0x8, 0x0, 0x1, 0xd, 0x9, 0x6, 0xf, 0x7, 0xc, 0x2, 0xa, 0x5, 0x4],
-        [0x1, 0x5, 0x9, 0x8, 0x0, 0x6, 0x3, 0xb, 0xc, 0xd, 0x2, 0xa, 0x4, 0xf, 0x7, 0xe],
-        [0x3, 0xb, 0xe, 0x8, 0x0, 0x1, 0xd, 0x9, 0x6, 0xf, 0x7, 0xc, 0x2, 0xa, 0x5, 0x4],
-        [0xb, 0xa, 0x6, 0x2, 0x8, 0x0, 0x5, 0x3, 0x9, 0x1, 0xe, 0xf, 0xd, 0x4, 0xc, 0x7],
-        [0x8, 0xe, 0xb, 0x3, 0x9, 0xd, 0x1, 0x0, 0xc, 0x7, 0xf, 0x6, 0x4, 0x5, 0xa, 0x2],
-        [0x2, 0x4, 0x1, 0x9, 0x3, 0x7, 0xb, 0xa, 0x6, 0xd, 0x5, 0xc, 0xe, 0xf, 0x0, 0x8],
-    ];
-    assert_eq!(zlut_1s2, PV2_1_S_2);
-
-    #[rustfmt::skip]
-    let zlut_5sm: [[u8;16]; 16] = [
-        [0x4, 0xc, 0x3, 0x2, 0x0, 0x9, 0x1, 0xa, 0x6, 0x7, 0xb, 0xf, 0x5, 0xd, 0x8, 0xe],
-        [0xf, 0x6, 0xc, 0x7, 0xa, 0x2, 0x4, 0x5, 0xb, 0x3, 0x8, 0xe, 0x1, 0x0, 0x9, 0xd],
-        [0x3, 0x5, 0xe, 0x6, 0x0, 0x4, 0xd, 0xc, 0xa, 0x1, 0xb, 0x2, 0x8, 0x9, 0xf, 0x7],
-        [0x3, 0x5, 0x0, 0x8, 0x2, 0x6, 0xa, 0xb, 0x7, 0xc, 0x4, 0xd, 0xf, 0xe, 0x1, 0x9],
-        [0xa, 0x2, 0x9, 0xf, 0x0, 0x1, 0x8, 0xc, 0xe, 0x7, 0xd, 0x6, 0xb, 0x3, 0x5, 0x4],
-        [0x2, 0xa, 0x1, 0x7, 0x8, 0x9, 0x0, 0x4, 0x6, 0xf, 0x5, 0xe, 0x3, 0xb, 0xd, 0xc],
-        [0x9, 0x2, 0xa, 0x3, 0x1, 0x0, 0xf, 0x7, 0xd, 0xb, 0xe, 0x6, 0xc, 0x8, 0x4, 0x5],
-        [0xd, 0x4, 0xc, 0x7, 0x9, 0x1, 0xe, 0xf, 0x8, 0x0, 0x5, 0x3, 0xb, 0xa, 0x6, 0x2],
-        [0xf, 0xe, 0x2, 0x6, 0xc, 0x4, 0x1, 0x7, 0xd, 0x5, 0xa, 0xb, 0x9, 0x0, 0x8, 0x3],
-        [0x0, 0x6, 0x3, 0xb, 0x1, 0x5, 0x9, 0x8, 0x4, 0xf, 0x7, 0xe, 0xc, 0xd, 0x2, 0xa],
-        [0x7, 0xe, 0x4, 0xf, 0x2, 0xa, 0xc, 0xd, 0x3, 0xb, 0x0, 0x6, 0x9, 0x8, 0x1, 0x5],
-        [0x7, 0x6, 0x0, 0x8, 0x5, 0xe, 0x4, 0xd, 0xf, 0xb, 0x2, 0x3, 0xc, 0xa, 0x1, 0x9],
-        [0x5, 0x1, 0xd, 0xc, 0x4, 0x2, 0x7, 0xf, 0x8, 0x9, 0x6, 0xe, 0x0, 0xb, 0x3, 0xa],
-        [0x0, 0xb, 0x3, 0xa, 0x8, 0x9, 0x6, 0xe, 0x4, 0x2, 0x7, 0xf, 0x5, 0x1, 0xd, 0xc],
-        [0x3, 0xb, 0x0, 0x6, 0x9, 0x8, 0x1, 0x5, 0x7, 0xe, 0x4, 0xf, 0x2, 0xa, 0xc, 0xd],
-        [0xb, 0x0, 0x8, 0x1, 0x3, 0x2, 0xd, 0x5, 0xf, 0x9, 0xc, 0x4, 0xe, 0xa, 0x6, 0x7],
-    ];
-    assert_eq!(zlut_5sm, PV2_5_S_M);
-
-    #[rustfmt::skip]
-    let zlut_6is7: [[u8;16]; 16] = [
-        [0xb, 0x6, 0x2, 0x9, 0x3, 0x7, 0xd, 0x1, 0xf, 0xe, 0x8, 0xa, 0x4, 0x5, 0xc, 0x0],
-        [0x3, 0x2, 0x7, 0x5, 0x8, 0x9, 0xd, 0x1, 0xb, 0x6, 0x4, 0xf, 0xa, 0xe, 0xc, 0x0],
-        [0x1, 0xd, 0x9, 0x8, 0x5, 0x7, 0x2, 0x3, 0x0, 0xc, 0xe, 0xa, 0xf, 0x4, 0x6, 0xb],
-        [0xe, 0xf, 0xb, 0x7, 0x5, 0x4, 0x1, 0x3, 0xc, 0x8, 0xa, 0x6, 0xd, 0x0, 0x2, 0x9],
-        [0xd, 0xc, 0x8, 0x4, 0x6, 0x7, 0x2, 0x0, 0xf, 0xb, 0x9, 0x5, 0xe, 0x3, 0x1, 0xa],
-        [0xe, 0x2, 0x0, 0x4, 0x1, 0xa, 0x8, 0x5, 0xf, 0x3, 0x7, 0x6, 0xb, 0x9, 0xc, 0xd],
-        [0x0, 0xb, 0x9, 0x4, 0xf, 0x3, 0x1, 0x5, 0xa, 0x8, 0xd, 0xc, 0xe, 0x2, 0x6, 0x7],
-        [0x1, 0x0, 0x4, 0x8, 0xa, 0xb, 0xe, 0xc, 0x3, 0x7, 0x5, 0x9, 0x2, 0xf, 0xd, 0x6],
-        [0xe, 0x2, 0x8, 0xc, 0x6, 0xd, 0x9, 0x4, 0xf, 0x3, 0xa, 0xb, 0x5, 0x7, 0x1, 0x0],
-        [0x0, 0x2, 0x4, 0x5, 0xa, 0x6, 0xf, 0xe, 0x3, 0x8, 0xc, 0x1, 0xb, 0x7, 0xd, 0x9],
-        [0xb, 0xa, 0xe, 0x2, 0x0, 0x1, 0x4, 0x6, 0x9, 0xd, 0xf, 0x3, 0x8, 0x5, 0x7, 0xc],
-        [0x0, 0xc, 0x5, 0x4, 0xa, 0x8, 0xe, 0xf, 0x1, 0xd, 0x7, 0x3, 0x9, 0x2, 0x6, 0xb],
-        [0x6, 0xa, 0x3, 0x2, 0xc, 0xe, 0x8, 0x9, 0x7, 0xb, 0x1, 0x5, 0xf, 0x4, 0x0, 0xd],
-        [0xe, 0xa, 0x0, 0xc, 0x6, 0xb, 0xf, 0x4, 0x9, 0x8, 0x1, 0xd, 0x2, 0x3, 0x5, 0x7],
-        [0xe, 0xf, 0x9, 0xb, 0x5, 0x4, 0xd, 0x1, 0xa, 0x7, 0x3, 0x8, 0x2, 0x6, 0xc, 0x0],
-        [0x4, 0x0, 0xa, 0x6, 0xc, 0x1, 0x5, 0xe, 0x3, 0x2, 0xb, 0x7, 0x8, 0x9, 0xf, 0xd],
-    ];
-    assert_eq!(zlut_6is7, PV2_6_IS_7);
-}
-
-/* LUTs for M-layer (exors) -------------------------------------------------------- */
-// Bits (msb) 0123 (lsb) in u4
-static PV2_EXOR_TO_0: [[u8; 1 << 4]; 4] = build_zlut_exor(0);
-static PV2_EXOR_TO_1: [[u8; 1 << 4]; 4] = build_zlut_exor(1);
-static PV2_EXOR_TO_2: [[u8; 1 << 4]; 4] = build_zlut_exor(2);
-static PV2_EXOR_TO_3: [[u8; 1 << 4]; 4] = build_zlut_exor(3);
-#[rustfmt::skip]
-pub static PV2_EXOR_FW: [&[[u8; 1 << 4]; 4]; 2] = [
-    &PV2_EXOR_TO_3, &PV2_EXOR_TO_2,
-];
-#[rustfmt::skip]
-pub static PV2_EXOR_BW: [&[[u8; 1 << 4]; 4]; 4] = [
-    &PV2_EXOR_TO_3, &PV2_EXOR_TO_2, &PV2_EXOR_TO_1, &PV2_EXOR_TO_0,
-];
-
-// e-xor(b) = xor of all bits except b. [Ex: e-xor(1010,0) = 0, e-xor(1010,1) = 1.]
-// Bits (msb) 0123 (lsb) in u4 [more convenient for describing the M-layer?]
-const fn u4_exor(x: u8, b: u8) -> u8 {
-    assert!(b < 4 && x < 16);
-    let ex_mask: u8 = 0xf - (1 << (3 - b));
-    let mut c: u8 = x & ex_mask;
-    c = (c & 0x3) ^ (c >> 2);
-    c = (c & 0x1) ^ (c >> 1);
-    c
-}
-
-#[test]
-fn test_u4_exor() {
-    let x: u8 = 0b1010;
-    assert_eq!(u4_exor(x, 0), 1);
-    assert_eq!(u4_exor(x, 1), 0);
-    assert_eq!(u4_exor(x, 2), 1);
-    assert_eq!(u4_exor(x, 3), 0);
-
-    let x: u8 = 0b1110;
-    assert_eq!(u4_exor(x, 0), 0);
-    assert_eq!(u4_exor(x, 1), 0);
-    assert_eq!(u4_exor(x, 2), 0);
-    assert_eq!(u4_exor(x, 3), 1);
-}
-
-// e-xor(b) = xor of all bits except b. [Ex: e-xor(1010,0) = 0, e-xor(1010,1) = 1.]
-// Bits (msb) 0123 (lsb) in u4 [more convenient for describing the M-layer?]
-const fn build_zlut_exor(to_b: u8) -> [[u8; 1 << 4]; 4] {
-    let mut zlut_exor_to_b: [[u8; 1 << 4]; 4] = [[0; 1 << 4]; 4];
-    let mut b: usize = 0;
-
-    while b < 4 {
-        // for loop not allowed in const fn
-        let mut x: usize = 0;
-        while x < (1 << 4) {
-            zlut_exor_to_b[b][x] = u4_exor(x as u8, b as u8) << to_b;
-            x += 1;
-        }
-        b += 1;
-    }
-    zlut_exor_to_b
-}
-
-#[test]
-fn test_build_exor() {
-    let zlut_exor_to_1: [[u8; 16]; 4] = [
-        [0, 2, 2, 0, 2, 0, 0, 2, 0, 2, 2, 0, 2, 0, 0, 2],
-        [0, 2, 2, 0, 0, 2, 2, 0, 2, 0, 0, 2, 2, 0, 0, 2],
-        [0, 2, 0, 2, 2, 0, 2, 0, 2, 0, 2, 0, 0, 2, 0, 2],
-        [0, 0, 2, 2, 2, 2, 0, 0, 2, 2, 0, 0, 0, 0, 2, 2],
-    ];
-    assert_eq!(zlut_exor_to_1, PV2_EXOR_TO_1);
-}
-
-/* LUTs for xoring to high / low bits ---------------------------------------------- */
-// [Nb] Probably overkill in this case
-pub static PV2_XOR_TO_LOW: [u8; 1 << 4] = [
-    // (01) ^ (23): (x & 3) ^^ (x >> 2) for x in range(16)
-    0x0, 0x1, 0x2, 0x3, 0x1, 0x0, 0x3, 0x2, 0x2, 0x3, 0x0, 0x1, 0x3, 0x2, 0x1, 0x0,
-];
-static PV2_XOR_TO_HIGH: [u8; 1 << 4] = [
-    // <above> << 2
-    0x0, 0x4, 0x8, 0xc, 0x4, 0x0, 0xc, 0x8, 0x8, 0xc, 0x0, 0x4, 0xc, 0x8, 0x4, 0x0,
-];
-pub static PV2_XOR_FW: [&[u8; 1 << 4]; 2] = [&PV2_XOR_TO_HIGH, &PV2_XOR_TO_LOW];
-
-// xoring + extract bits (low/high of 2 output bits)
-pub static PV2_XOR_BL: [[u8; 1 << 4]; 4] = build_zlut_xor_bhl(0);
-pub static PV2_XOR_BH: [[u8; 1 << 4]; 4] = build_zlut_xor_bhl(1);
-
-const fn build_zlut_xor_bhl(hl: u8) -> [[u8; 1 << 4]; 4] {
-    // [(((01) ^ (23) >> hl) << (3 - b)
-    let mut zlut_xor_hl_to_b: [[u8; 1 << 4]; 4] = [[0; 1 << 4]; 4];
-    let mut b: usize = 0;
-
-    while b < 4 {
-        // for loop not allowed in const fn
-        let mut x: usize = 0;
-        while x < (1 << 4) {
-            zlut_xor_hl_to_b[b][x] = ((PV2_XOR_TO_LOW[x] >> hl) & 0x1) << (3 - b);
-            x += 1;
-        }
-        b += 1;
-    }
-    zlut_xor_hl_to_b
-}
-
-#[test]
-fn test_build_xor_bhl() {
-    let zlut_xor_bh: [[u8; 16]; 4] = [
-        [0, 0, 8, 8, 0, 0, 8, 8, 8, 8, 0, 0, 8, 8, 0, 0],
-        [0, 0, 4, 4, 0, 0, 4, 4, 4, 4, 0, 0, 4, 4, 0, 0],
-        [0, 0, 2, 2, 0, 0, 2, 2, 2, 2, 0, 0, 2, 2, 0, 0],
-        [0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 0],
-    ];
-    assert_eq!(zlut_xor_bh, PV2_XOR_BH);
-}
--- a/apps/princev2/src/u64_conv.rs
+++ b/apps/princev2/src/u64_conv.rs
@@ -1,90 +0,0 @@
-/*
- * Some bit manipulation converting u64 to vectors of 2/4-bit nibbles
- * ----------------------------------------------------------------------------------------------- */
-
-// u64 -> [u4; 16], res[0] = 4 MSB bits of u64
-pub const fn u64_to_vec_u4(u: u64) -> [u8; 64 / 4] {
-    let mut i: usize = 0;
-    let mut v: [u8; 64 / 4] = [0; 64 / 4];
-
-    // "for" loop is unusable inside const
-    while i < 64 / 4 {
-        v[64 / 4 - i - 1] = ((u >> (4 * i)) & 0xf) as u8;
-        i += 1;
-    }
-    v
-}
-
-#[allow(dead_code)] // kept for symmetry with u64_to_vec_u4(); might be useful to convert back decomposed constants
-pub const fn vec_u4_to_u64(v: [u8; 64 / 4]) -> u64 {
-    let mut i: usize = 0;
-    let mut u: u64 = 0;
-
-    // "for" loop is unusable inside const
-    while i < 64 / 4 {
-        u += (v[i] as u64) << (60 - 4 * i);
-        i += 1;
-    }
-    u
-}
-
-#[test]
-fn test_u64_conv_vec_u4() {
-    let u: u64 = 0x3f84d5b5b5470917;
-    let u_dec: [u8; 16] = [
-        0x3, 0xf, 0x8, 0x4, 0xd, 0x5, 0xb, 0x5, 0xb, 0x5, 0x4, 0x7, 0x0, 0x9, 0x1, 0x7,
-    ];
-    assert_eq!(u_dec, u64_to_vec_u4(u));
-    assert_eq!(u, vec_u4_to_u64(u_dec));
-
-    let u: u64 = 0x0ac6f9cd6e6f275d;
-    let u_dec: [u8; 16] = [
-        0x0, 0xa, 0xc, 0x6, 0xf, 0x9, 0xc, 0xd, 0x6, 0xe, 0x6, 0xf, 0x2, 0x7, 0x5, 0xd,
-    ];
-    assert_eq!(u_dec, u64_to_vec_u4(u));
-    assert_eq!(u, vec_u4_to_u64(u_dec));
-}
-
-// u64 -> [u2; 32], res[0] = 2 MSB bits of u64
-pub const fn u64_to_vec_u2(u: u64) -> [u8; 64 / 2] {
-    let mut i: usize = 0;
-    let mut v: [u8; 64 / 2] = [0; 64 / 2];
-
-    while i < 64 / 2 {
-        // for loop unusable inside const
-        v[64 / 2 - i - 1] = ((u >> (2 * i)) & 0x3) as u8;
-        i += 1;
-    }
-    v
-}
-
-pub const fn vec_u2_to_u64(v: [u8; 64 / 2]) -> u64 {
-    let mut i: usize = 0;
-    let mut u: u64 = 0;
-
-    while i < 64 / 2 {
-        // for loop unusable inside const
-        u += (v[i] as u64) << (62 - 2 * i);
-        i += 1;
-    }
-    u
-}
-
-#[test]
-fn test_u64_conv_vec_u2() {
-    let u: u64 = 0x603cd95fa72a8704;
-    #[rustfmt::skip]
-    let u_dec: [u8; 32] = [
-        0x1, 0x2, 0x0, 0x0, 0x0, 0x3, 0x3, 0x0, 0x3, 0x1, 0x2, 0x1, 0x1, 0x1, 0x3, 0x3,
-        0x2, 0x2, 0x1, 0x3, 0x0, 0x2, 0x2, 0x2, 0x2, 0x0, 0x1, 0x3, 0x0, 0x0, 0x1, 0x0];
-    assert_eq!(u_dec, u64_to_vec_u2(u));
-    assert_eq!(u, vec_u2_to_u64(u_dec));
-
-    let u: u64 = 0xee873b2ec447944d;
-    #[rustfmt::skip]
-    let u_dec: [u8; 32] = [
-        0x3, 0x2, 0x3, 0x2, 0x2, 0x0, 0x1, 0x3, 0x0, 0x3, 0x2, 0x3, 0x0, 0x2, 0x3, 0x2,
-        0x3, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x3, 0x2, 0x1, 0x1, 0x0, 0x1, 0x0, 0x3, 0x1];
-    assert_eq!(u_dec, u64_to_vec_u2(u));
-    assert_eq!(u, vec_u2_to_u64(u_dec));
-}
--- a/apps/princev2/tests/pv2_kat.rs
+++ b/apps/princev2/tests/pv2_kat.rs
@@ -1,132 +0,0 @@
-//! Known-answer tests against the PRINCEv2 paper test vectors.
-//!
-//! These tests run a full homomorphic PRINCEv2 encryption/decryption and assert that the decrypted
-//! ciphertext matches the values from PRINCEv2 specifications [BEK+20, Appendix B].
-//!
-//! [BEK+20] Dusan Božilov, Maria Eichlseder, Miroslav Kneževic, Baptiste Lambin, Gregor Leander,
-//! Thorben Moos, Ventzislav Nikov, Shahram Rasoolzadeh, Yosuke Todo, and Friedrich Wiemer.
-//! PRINCEv2: More security for (almost) no overhead. In Selected Areas in Cryptography (SAC 2020),
-//! volume 12804 of LNCS, pp.483--511, Springer, 2020. DOI:10.1007/978-3-030-81652-0_19.
-
-use tfhe::shortint::parameters::PARAM_MESSAGE_2_CARRY_2_KS_PBS_GAUSSIAN_2M128;
-use tfhe::shortint::prelude::*;
-
-use tfhe_princev2::{pv2_decrypt, pv2_encrypt, u64_to_vec_u2, vec_u2_to_u64};
-
-// KAT structure for Pv2 cipher
-struct Pv2Kat {
-    name: &'static str,
-    ptxt: u64,
-    k0: u64,
-    k1: u64,
-    ctxt: u64,
-}
-
-/// Test vectors from [BEK+20, Appendix B]
-static PV2_KATS_TABLE: [Pv2Kat; 5] = [
-    Pv2Kat {
-        name: "PRINCEv2 KAT #1",
-        ptxt: 0x0000000000000000,
-        k0: 0x0000000000000000,
-        k1: 0x0000000000000000,
-        ctxt: 0x0125fc7359441690,
-    },
-    Pv2Kat {
-        name: "PRINCEv2 KAT #2",
-        ptxt: 0xffffffffffffffff,
-        k0: 0x0000000000000000,
-        k1: 0x0000000000000000,
-        ctxt: 0x832bd46f108e7857,
-    },
-    Pv2Kat {
-        name: "PRINCEv2 KAT #3",
-        ptxt: 0x0000000000000000,
-        k0: 0xffffffffffffffff,
-        k1: 0x0000000000000000,
-        ctxt: 0xee873b2ec447944d,
-    },
-    Pv2Kat {
-        name: "PRINCEv2 KAT #4",
-        ptxt: 0x0000000000000000,
-        k0: 0x0000000000000000,
-        k1: 0xffffffffffffffff,
-        ctxt: 0x0ac6f9cd6e6f275d,
-    },
-    Pv2Kat {
-        name: "PRINCEv2 KAT #5",
-        ptxt: 0x0123456789abcdef,
-        k0: 0x0123456789abcdef,
-        k1: 0xfedcba9876543210,
-        ctxt: 0x603cd95fa72a8704,
-    },
-];
-
-/// Encrypt a u64 as 32 ciphertexts, each holding a 2-bit nibble in the low bits of the FHE message
-/// space. Most significant bits of the input are at index 0 in the output
-fn encrypt_u64_as_vec_u2l(s_key: &ClientKey, x: u64) -> [Ciphertext; 32] {
-    let x_u2: [u8; 32] = u64_to_vec_u2(x);
-    let ct: Vec<Ciphertext> = x_u2
-        .into_iter()
-        .map(|u2| s_key.encrypt(u2 as u64))
-        .collect();
-    ct.try_into().unwrap()
-}
-
-/// Reverse of function encrypt_u64_as_vec_u2l()
-fn decrypt_vec_u2l_as_u64(s_key: &ClientKey, v: &[Ciphertext; 32]) -> u64 {
-    let x_u2: [u8; 32] = std::array::from_fn(|n| s_key.decrypt_message_and_carry(&v[n]) as u8);
-    let x: u64 = vec_u2_to_u64(x_u2);
-    x
-}
-
-/// Run KATs homomorphically for PRINCEv2 Encryption.
-/// [Note] Takes approximately 21s / KAT on 8 cores.
-#[test]
-fn pv2_enc_kat() {
-    let (s_key, ev_key): (ClientKey, ServerKey) = // Params: Need 4-bits msg + nu >= 4
-        tfhe::shortint::gen_keys(PARAM_MESSAGE_2_CARRY_2_KS_PBS_GAUSSIAN_2M128);
-
-    for tkat in &PV2_KATS_TABLE {
-        // Encryptions of inputs (k0,k1,m)
-        let ct_k0: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, tkat.k0);
-        let ct_k1: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, tkat.k1);
-        let ct_m: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, tkat.ptxt);
-
-        // PRINCEv2 Enc in FHE
-        let mut ct_out: [Ciphertext; 32] = std::array::from_fn(|_| ev_key.create_trivial(0)); // [NB] shortint::create_trivial() vs boolean::trivial_encrypt()
-        pv2_encrypt(&ev_key, &mut ct_out, &ct_m, &ct_k0, &ct_k1);
-
-        // Testing the (de-)encrypted result
-        let pt_out: u64 = decrypt_vec_u2l_as_u64(&s_key, &ct_out);
-        assert_eq!(
-            pt_out, tkat.ctxt,
-            "{} failed: ptxt={:#018x}, k0={:#018x}, k1={:#018x}, expected={:#018x}, got={:#018x}",
-            tkat.name, tkat.ptxt, tkat.k0, tkat.k1, tkat.ctxt, pt_out
-        );
-    }
-}
-
-#[test]
-fn pv2_dec_kat() {
-    let (s_key, ev_key): (ClientKey, ServerKey) = // Params: Need 4-bits msg + nu >= 4
-        tfhe::shortint::gen_keys(PARAM_MESSAGE_2_CARRY_2_KS_PBS_GAUSSIAN_2M128);
-
-    for tkat in &PV2_KATS_TABLE {
-        // Encryptions of inputs (k0,k1,m)
-        let ct_k0: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, tkat.k0);
-        let ct_k1: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, tkat.k1);
-        let ct_c: [Ciphertext; 32] = encrypt_u64_as_vec_u2l(&s_key, tkat.ctxt);
-
-        // PRINCEv2 Dec in FHE
-        let mut ct_out: [Ciphertext; 32] = std::array::from_fn(|_| ev_key.create_trivial(0)); // [NB] shortint::create_trivial() vs boolean::trivial_encrypt()
-        pv2_decrypt(&ev_key, &mut ct_out, &ct_c, &ct_k0, &ct_k1);
-
-        // Testing the (de-)encrypted result
-        let pt_out: u64 = decrypt_vec_u2l_as_u64(&s_key, &ct_out);
-        assert_eq!(
-            pt_out, tkat.ptxt,
-            "{} failed: ctxt={:#018x}, k0={:#018x}, k1={:#018x}, expected={:#018x}, got={:#018x}",
-            tkat.name, tkat.ctxt, tkat.k0, tkat.k1, tkat.ptxt, pt_out
-        );
-    }
-}
--- a/apps/test-vectors/checksums.sha256
+++ b/apps/test-vectors/checksums.sha256
@@ -1,36 +1,36 @@
-09066e9051cb11cd3fa820fe70daba41652dfd8ba7aec1e62deb592e8d422c73  data/valid_params_128/ksk.cbor
-0bcca92c6208519ddec6d618ecc7e77b9b35d30e55588863bc6e4576ced1a010  data/valid_params_128/lwe_sum.cbor
-11d970a504709f4375cbdce717c57e7292f0deb8de1e5ce5b0ddfec86d0ff0c4  data/valid_params_128/lwe_b.cbor
-177f09db39a165a1a3b3e528047e48ad2fdef61dce93a5e3ef67625ef3e23d16  data/valid_params_128/small_lwe_secret_key.cbor
-1a376b04dea2cc29ba2569bd4be13fb00523f85cb4ec1400f3c6cea8827d312e  data/toy_params/small_lwe_secret_key.cbor
-1a4e0747a7cda547a99a2512b036dc21ced461f1ad8680cce6e7f6a91159d68c  data/toy_params/glwe_after_id_br.cbor
-26317e8430c703ce6d82e0b61237a51fabbcd11f52838aef40108777a08b0037  data/toy_params/lwe_after_spec_pbs.cbor
-2f64e6eccd4ddcc7cb2e76844ae869559bcf0c1c2b73a6ff9c7cade02f55dab0  data/valid_params_128/lwe_ks.cbor
-316d04542ba422bf82854c1c53a95d201ba042e12ad31476772a4755620f4e8d  data/valid_params_128/lwe_after_spec_pbs.cbor
-346995d4ac20031338826503173812ff04eac52d15eeb6c93636f6fa6f1b07a5  data/valid_params_128/bsk.cbor
-38f7f0ca6251c5139aaf16121797ae7b25f189ba64ea6ce3a365193cb103bc49  data/toy_params/lwe_prod.cbor
-40a07b2f42e2b7a8f6f90ea61568158a0273476bfea69b8b4907269b952f5d5c  data/valid_params_128/lwe_a.cbor
-534f9e3bb24d4ecbf7447c0e937f5df4840b70d9fcff7ffc6610dae71e7bff88  data/toy_params/large_lwe_secret_key.cbor
-53eb223855483465ab50fe0ea1a9ef39cdb47be2e5544928ec2343d942c78554  data/valid_params_128/lwe_after_id_pbs.cbor
-5593ae368d8fd8a3126433174fd896777ea45b1a92ae8379151de0fed5e5a4e1  data/toy_params/bsk.cbor
-632ef8130037896623de9478469d6ccd8298a6b73ec4f2bdc871f8c0adc1e71c  data/toy_params/lwe_b.cbor
-632fc4b7ad17b40183fca92524b9c21b2adcfbcff3d28f2559959ab740b18bcb  data/valid_params_128/glwe_after_spec_br.cbor
-6597867705cbd69bd3695fb70608c04e1feb96e9b1e242137cefbb8b9d67c25e  data/toy_params/lwe_after_spec_pbs_karatsuba.cbor
-6601d34dde7487630bcecef306f8aa6cba3f7850a6b338e03c6474d4de673da6  data/toy_params/glwe_after_spec_br_karatsuba.cbor
-70ab63fe9e1947dd3c95cd7e7d377025146fbefa3ef34dc72727f10d80d0b454  data/valid_params_128/glwe_after_id_br_karatsuba.cbor
-7400f815f147227fa6ff86898dc875d5e523572c9baaa96a2d6f90189ad14e72  data/valid_params_128/glwe_after_spec_br_karatsuba.cbor
-77837989606579e3bba52382fee3f218f552df82c5b101b79fe4f83bec714d72  data/valid_params_128/lwe_ms.cbor
-7cb3f6f4fd17875baa6bff5f3a5da9af554c89f4932587accfcad7181c31e4b7  data/valid_params_128/large_lwe_secret_key.cbor
-96b66c6d8370e89fd6fecdec70dbc872c749614ca82ed0a3779188c09c08a1db  data/toy_params/glwe_after_id_br_karatsuba.cbor
-a13f573a0fd90065c193002bb2a509ca7a6fdac24c6bee1da95a99e1e9217ee1  data/toy_params/lwe_a.cbor
-a5227e552c7a853c121ce1bb7e371596b2e4594206024e7a7232ab65216b9472  data/toy_params/lwe_ks.cbor
-b8e5075efb58464192319bcb847cc6b3f77942fc07c768e0972f5bf77043a4c5  data/valid_params_128/lwe_after_spec_pbs_karatsuba.cbor
-ba4058987c3635934e759b572d34c1be4edc40939c23192e1776e91afacd69a3  data/valid_params_128/glwe_after_id_br.cbor
-bb52f8c2493c253ed4a4837126e8ad1fe231bf122c4042afd8f71b9ae5fecbd1  data/toy_params/lwe_sum.cbor
-c393d1b4ac5f093f8ace128e656a9ff520e3b6e4448c3dcde8054291908bcbd0  data/toy_params/lwe_after_id_pbs_karatsuba.cbor
-d55a4f0c0ab7794ae9c5d178b72ea97d383a6078cab47bbba83e654702e96885  data/valid_params_128/lwe_after_id_pbs_karatsuba.cbor
-db51aa1b96120c8c41364368247643d85fb35d2db66468514ddf8f25cf8bf1f4  data/toy_params/lwe_after_id_pbs.cbor
-f25cfa0e64b04a39ef11a14fd5de3f5fc82fdc0b8511c91e66183cb309811808  data/toy_params/glwe_after_spec_br.cbor
-f5f4fcc754e2186db0580049093321a37d9de244cfaace9e1b926e1560f20b58  data/valid_params_128/lwe_prod.cbor
-fc690226cca294153b1dc65833e95ba66b837aff87cbb2ef211729d9232b30d3  data/toy_params/ksk.cbor
-fd2e004e4385ed45af7b68f76f8741348a1b94a5c9c28cb6d3642733c0132b9c  data/toy_params/lwe_ms.cbor
+08f31a47c29cc4d72ad32c0b5411fa20b3deef5b84558dd2fb892d3cdf90528a  data/toy_params/glwe_after_id_br_karatsuba.cbor
+29b6e3e7d27700004b70dca24d225816500490e2d6ee49b9af05837fd421896b  data/valid_params_128/lwe_after_spec_pbs.cbor
+2c70d1d78cc3760733850a353ace2b9c4705e840141b75841739e90e51247e18  data/valid_params_128/small_lwe_secret_key.cbor
+2fb4bb45c259b8383da10fc8f9459c40a6972c49b1696eb107f0a75640724be5  data/toy_params/lwe_after_id_pbs_karatsuba.cbor
+36c9080b636475fcacca503ce041bbfeee800fd3e1890dee559ea18defff9fe8  data/toy_params/glwe_after_id_br.cbor
+377761beeb4216cf5aa2624a8b64b8259f5a75c32d28e850be8bced3a0cdd6f5  data/toy_params/ksk.cbor
+59dba26d457f96478eda130cab5301fce86f23c6a8807de42f2a1e78c4985ca7  data/valid_params_128/lwe_ks.cbor
+5d80dd93fefae4f4f89484dfcd65bbe99cc32e7e3b0a90c33dd0d77516c0a023  data/valid_params_128/glwe_after_id_br_karatsuba.cbor
+656f0009c7834c5bcb61621e222047516054b9bc5d0593d474ab8f1c086b67a6  data/valid_params_128/lwe_after_id_pbs.cbor
+699580ca92b9c2f9e1f57fb1e312c9e8cb29714f7acdef9d2ba05f798546751f  data/toy_params/lwe_sum.cbor
+6e54ab41056984595b077baff70236d934308cf5c0c33b4482fbfb129b3756c6  data/valid_params_128/glwe_after_id_br.cbor
+70f5e5728822de05b49071efb5ec28551b0f5cc87aa709a455d8e7f04b9c96ee  data/toy_params/lwe_after_id_pbs.cbor
+76a5c52cab7fec1dc167da676c6cd39479cda6b2bb9f4e0573cb7d99c2692faa  data/valid_params_128/lwe_after_id_pbs_karatsuba.cbor
+7cc6803f5fbc3d5a1bf597f2b979ce17eecd3d6baca12183dea21022a7b65c52  data/toy_params/bsk.cbor
+7f3c40a134623b44779a556212477fea26eaed22450f3b6faeb8721d63699972  data/valid_params_128/lwe_sum.cbor
+837b3bd3245d4d0534ed255fdef896fb4fa6998a258a14543dfdadd0bfc9b6dd  data/toy_params/lwe_prod.cbor
+9ece8ca9c1436258b94e8c5e629b8722f9b18fdd415dd5209b6167a9dde8491c  data/toy_params/glwe_after_spec_br_karatsuba.cbor
+aa44aea29efd6d9e4d35a21a625d9cba155672e3f7ed3eddee1e211e62ad146b  data/valid_params_128/lwe_ms.cbor
+b7a037b9eaa88d6385167579b93e26a0cb6976d9b8967416fd1173e113bda199  data/valid_params_128/large_lwe_secret_key.cbor
+b7b8e3586128887bd682120f3e3a43156139bce5e3fe0b03284f8753a864d647  data/toy_params/lwe_after_spec_pbs_karatsuba.cbor
+bd00a8ae7494e400de5753029552ee1647efe7e17409b863a26a13b081099b8c  data/toy_params/lwe_after_spec_pbs.cbor
+c6df98676de04fe54b5ffc2eb30a82ebb706c9d7d5a4e0ed509700fec88761f7  data/toy_params/lwe_ms.cbor
+c7d5a864d5616a7d8ad50bbf40416e41e6c9b60c546dc14d4aa8fc40a418baa7  data/toy_params/large_lwe_secret_key.cbor
+c806533b325b1009db38be2f9bef5f3b2fad6b77b4c71f2855ccc9d3b4162e98  data/valid_params_128/lwe_b.cbor
+c9eb75bd2993639348a679cf48c06e3c38d1a513f48e5b0ce0047cea8cff6bbc  data/toy_params/lwe_a.cbor
+d3391969acf26dc69de0927ba279139d8d79999944069addc8ff469ad6c5ae2d  data/valid_params_128/lwe_after_spec_pbs_karatsuba.cbor
+d6da5baef0e787f6be56e218d8354e26904652602db964844156fdff08350ce6  data/toy_params/lwe_ks.cbor
+e591ab9af1b6a0aede273f9a3abb65a4c387feb5fa06a6959e9314058ca0f7e5  data/valid_params_128/ksk.cbor
+e59b002df3a9b01ad321ec51cf076fa35131ab9dbef141d1c54b717d61426c92  data/valid_params_128/glwe_after_spec_br_karatsuba.cbor
+e628354c81508a2d888016e8282df363dd12f1e19190b6475d4eb9d7ab8ae007  data/valid_params_128/glwe_after_spec_br.cbor
+e69d2d2c064fc8c0460b39191ca65338146990349954f5ec5ebd01d93610e7eb  data/valid_params_128/lwe_a.cbor
+e76c24b2a0c9a842ad13dda35473c2514f9e7d20983b5ea0759c4521a91626d9  data/valid_params_128/lwe_prod.cbor
+e9afe7019acba5cda926f13e06df9930571611729d2f2e8ce41956e1f5e1db6f  data/valid_params_128/bsk.cbor
+eadf2eff35133ffba075df11faecddd6e7af9ddc398011ec4568e5528812b3e2  data/toy_params/lwe_b.cbor
+ee9fcf45f1379ca3a7d7bf2b0e7a1cc920ceb496c0217e8604b0b58d2831749e  data/toy_params/small_lwe_secret_key.cbor
+f7a89ac440def1c8aa3f42ecc41813632509df38cd4544d1a507711831e629bd  data/toy_params/glwe_after_spec_br.cbor
--- a/apps/test-vectors/data/README.md
+++ b/apps/test-vectors/data/README.md
@@ -1,43 +1,43 @@
 # Test vectors for TFHE
 These test vectors are generated using [TFHE-rs](https://github.com/zama-ai/tfhe-rs), with the git tag `tfhe-test-vectors-0.2.0`.

-They are TFHE-rs objects serialized in the [cbor format](https://cbor.io/). These can be deserialized using any cbor library for any programming languages. For example, using the [cbor2](https://pypi.org/project/cbor2/) program, the command to run is: `cbor2 --pretty toy_params/lwe_a.cbor`.
+They are TFHE-rs objects serialized in the [cbor format](https://cbor.io/). You can deserialize them using any cbor library for the language of your choice. For example, using the [cbor2](https://pypi.org/project/cbor2/) program, run: `cbor2 --pretty toy_params/lwe_a.cbor`.

-There are 2 folders with test vectors for different parameter sets:
- `valid_params_128`: valid classical PBS parameters using a Gaussian noise distribution, providing 128-bits of security in the IND-CPA model (i.e., the probability of failure is smaller than 2^{-64}).
- `toy_params`: insecure parameters that yield smaller values to simplify the bit comparison of the results.
+You will find 2 folders with test vectors for different parameter sets:
+- `valid_params_128`: valid classical PBS parameters using a gaussian noise distribution, providing 128bits of security in the IND-CPA model and a bootstrapping probability of failure of 2^{-64}.
+- `toy_params`: insecure parameters that yield smaller values

-The values are generated to compute a keyswitch (KS) followed by a bootstrap (PBS). The cleartext inputs are 2 values, A and B defined below.
+The values are generated for the keyswitch -> bootstrap (KS-PBS) atomic pattern. The cleartext inputs are 2 values, A and B defined below.

 All the random values are generated from a fixed seed, that can be found in the `RAND_SEED` constant below. The PRNG used is the one based on the AES block cipher in counter mode, from tfhe `tfhe-csprng` crate.

-The bootstrap is applied twice, with 2 different lut, the identity lut and a specific one computing the double of the input value (i.e., f(x) = 2*x).
+The programmable bootstrap is applied twice, with 2 different lut, the identity lut and a specific one (currently a x2 operation)

 ## Vectors
 The following values are generated:

 ### Keys
-| name                   | description                                                                             | TFHE-rs type                |
-|------------------------|-----------------------------------------------------------------------------------------|-----------------------------|
-| `large_lwe_secret_key` | Encryption secret key, before the KS and after the PBS                                  | `LweSecretKey<Vec<u64>>`    |
-| `small_lwe_secret_key` | Secret key encrypting ciphertexts between the KS and the PBS                            | `LweSecretKey<Vec<u64>>`    |
-| `ksk`                  | The keyswitching key to convert a ct from the large key to the small one                | `LweKeyswitchKey<Vec<u64>>` |
+| name                   | description                                                                           | TFHE-rs type                |
+|------------------------|---------------------------------------------------------------------------------------|-----------------------------|
+| `large_lwe_secret_key` | Encryption secret key, before the KS and after the PBS                                | `LweSecretKey<Vec<u64>>`    |
+| `small_lwe_secret_key` | Secret key encrypting ciphertexts between the KS and the PBS                          | `LweSecretKey<Vec<u64>>`    |
+| `ksk`                  | The keyswitching key to convert a ct from the large key to the small one              | `LweKeyswitchKey<Vec<u64>>` |
 | `bsk`                  | the bootstrapping key to perform a programmable bootstrap on the keyswitched ciphertext | `LweBootstrapKey<Vec<u64>>` |


 ### Ciphertexts
-| name                 | description                                                                                         | TFHE-rs type               | Cleartext            |
-|----------------------|-----------------------------------------------------------------------------------------------------|----------------------------|----------------------|
-| `lwe_a`              | LWE Ciphertext encrypting A                                                                         | `LweCiphertext<Vec<u64>>`  | `A`                  |
-| `lwe_b`              | LWE Ciphertext encrypting B                                                                         | `LweCiphertext<Vec<u64>>`  | `B`                  |
-| `lwe_sum`            | LWE Ciphertext encrypting A plus lwe encryption of B                                                | `LweCiphertext<Vec<u64>>`  | `A+B`                |
-| `lwe_prod`           | LWE Ciphertext encrypting A times cleartext B                                                       | `LweCiphertext<Vec<u64>>`  | `A*B`                |
-| `lwe_ms`             | LWE Ciphertext encrypting A after a Modulus Switch from q to 2*N ([note](#non-native-encoding))     | `LweCiphertext<Vec<u64>>`  | `A`                  |
-| `lwe_ks`             | LWE Ciphertext encrypting A after a keyswitch from `large_lwe_secret_key` to `small_lwe_secret_key` | `LweCiphertext<Vec<u64>>`  | `A`                  |
-| `glwe_after_id_br`   | GLWE Ciphertext encrypting A after the application of the identity blind rotation on `lwe_ms`       | `GlweCiphertext<Vec<u64>>` | rotation of id LUT   |
-| `lwe_after_id_pbs`   | LWE Ciphertext encrypting A after the sample extract operation on `glwe_after_id_br`                | `LweCiphertext<Vec<u64>>`  | `A`                  |
-| `glwe_after_spec_br` | GLWE Ciphertext encrypting spec(A) after the application of the spec blind rotation on `lwe_ms`     | `GlweCiphertext<Vec<u64>>` | rotation of spec LUT |
-| `lwe_after_spec_pbs` | LWE Ciphertext encrypting spec(A) after the sample extract operation on `glwe_after_spec_br`        | `LweCiphertext<Vec<u64>>`  | `spec(A)`            |
+| name                 | description                                                                                                  | TFHE-rs type               | Cleartext    |
+|----------------------|--------------------------------------------------------------------------------------------------------------|----------------------------|--------------|
+| `lwe_a`              | Lwe encryption of A                                                                                          | `LweCiphertext<Vec<u64>>`  | `A`          |
+| `lwe_b`              | Lwe encryption of B                                                                                          | `LweCiphertext<Vec<u64>>`  | `B`          |
+| `lwe_sum`            | Lwe encryption of A plus lwe encryption of B                                                                 | `LweCiphertext<Vec<u64>>`  | `A+B`        |
+| `lwe_prod`           | Lwe encryption of A times cleartext B                                                                        | `LweCiphertext<Vec<u64>>`  | `A*B`        |
+| `lwe_ms`             | The lwe ciphertext after the modswitch part of the PBS ([note](#non-native-encoding))                        | `LweCiphertext<Vec<u64>>`  | `A`          |
+| `lwe_ks`             | The lwe ciphertext after the keyswitch                                                                       | `LweCiphertext<Vec<u64>>`  | `A`          |
+| `glwe_after_id_br`   | The glwe returned by the application of the identity blind rotation on the mod switched ciphertexts.         | `GlweCiphertext<Vec<u64>>` | rot id LUT   |
+| `lwe_after_id_pbs`   | The lwe returned by the application of the sample extract operation on the output of the id blind rotation   | `LweCiphertext<Vec<u64>>`  | `A`          |
+| `glwe_after_spec_br` | The glwe returned by the application of the spec blind rotation on the mod switched ciphertexts.             | `GlweCiphertext<Vec<u64>>` | rot spec LUT |
+| `lwe_after_spec_pbs` | The lwe returned by the application of the sample extract operation on the output of the spec blind rotation | `LweCiphertext<Vec<u64>>`  | `spec(A)`    |

 Ciphertexts with the `_karatsuba` suffix are generated using the Karatsuba polynomial multiplication algorithm in the blind rotation, while default ciphertexts are generated using an FFT multiplication.
 This makes it easier to reproduce bit exact results.
--- a/apps/test-vectors/data/toy_params/bsk.cbor
+++ b/apps/test-vectors/data/toy_params/bsk.cbor
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5593ae368d8fd8a3126433174fd896777ea45b1a92ae8379151de0fed5e5a4e1
+oid sha256:7cc6803f5fbc3d5a1bf597f2b979ce17eecd3d6baca12183dea21022a7b65c52
 size 92291
--- a/apps/test-vectors/data/toy_params/glwe_after_id_br.cbor
+++ b/apps/test-vectors/data/toy_params/glwe_after_id_br.cbor
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:1a4e0747a7cda547a99a2512b036dc21ced461f1ad8680cce6e7f6a91159d68c
+oid sha256:36c9080b636475fcacca503ce041bbfeee800fd3e1890dee559ea18defff9fe8
 size 4679
--- a/apps/test-vectors/data/toy_params/glwe_after_id_br_karatsuba.cbor
+++ b/apps/test-vectors/data/toy_params/glwe_after_id_br_karatsuba.cbor
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:96b66c6d8370e89fd6fecdec70dbc872c749614ca82ed0a3779188c09c08a1db
+oid sha256:08f31a47c29cc4d72ad32c0b5411fa20b3deef5b84558dd2fb892d3cdf90528a
 size 4679
--- a/apps/test-vectors/data/toy_params/glwe_after_spec_br.cbor
+++ b/apps/test-vectors/data/toy_params/glwe_after_spec_br.cbor
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f25cfa0e64b04a39ef11a14fd5de3f5fc82fdc0b8511c91e66183cb309811808
+oid sha256:f7a89ac440def1c8aa3f42ecc41813632509df38cd4544d1a507711831e629bd
 size 4679
--- a/apps/test-vectors/data/toy_params/glwe_after_spec_br_karatsuba.cbor
+++ b/apps/test-vectors/data/toy_params/glwe_after_spec_br_karatsuba.cbor
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:6601d34dde7487630bcecef306f8aa6cba3f7850a6b338e03c6474d4de673da6
+oid sha256:9ece8ca9c1436258b94e8c5e629b8722f9b18fdd415dd5209b6167a9dde8491c
 size 4679
--- a/apps/test-vectors/data/toy_params/ksk.cbor
+++ b/apps/test-vectors/data/toy_params/ksk.cbor
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:fc690226cca294153b1dc65833e95ba66b837aff87cbb2ef211729d9232b30d3
+oid sha256:377761beeb4216cf5aa2624a8b64b8259f5a75c32d28e850be8bced3a0cdd6f5
 size 25451
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
David Testé	9d18c6c3d8	chore(ci): update slab-github-runner action to v1.6.0 This action version now uses node24 as runner since node20 support is dropped on April 2026.	2026-04-01 09:47:54 +02:00
Thomas Montaigu	638f4c8bab	chore: add compressed xof key set backward to 1.5	2026-03-11 17:26:14 +01:00
Thomas Montaigu	509afb0967	refactor: use div_ceil to compute public seed bytes Coupled with the assert this ensures at least one byte for the seed.	2026-03-11 17:26:14 +01:00
Thomas Montaigu	da3d966fba	feat: impl Tagged for [Compressed]XofKeySet	2026-03-11 17:26:14 +01:00
Thomas Montaigu	fa396a7e80	chore: bump tfhe-csprng to 0.8.1	2026-03-11 17:26:14 +01:00
Thomas Montaigu	f92a5267d2	fix(csprng): fix offset being lost during fork The offset was not passed to children, and the parent 'lost' it. Meaning that after a fork using a generator initialized with XofSeed, after a fork, the offset was lost for both the children and parent. Refactor the initialization chain and methods of the AesCtrGenerator to simplify things. (Although the struct is pub, it's in a private module thus it's not public API) The fix is to pass the offset. * A test to check that the parent correctly continues after the fork has been added * Tests now pass a random offset to make sure this case is properly handled	2026-03-11 17:26:14 +01:00
Nicolas Sarlin	d76fef0d82	chore: bump tfhe to 1.5.4	2026-03-03 15:03:40 +01:00
Nicolas Sarlin	1f403aade1	fix(integer): reject packed legacy compact list	2026-03-03 10:17:40 +01:00
David Testé	081bb0f332	chore(ci): update slab-github-runner action to v1.5.1 This version adds randomization on sleep duration between calls to GitHub API when looking for runner registration. This reduces the risk of API rate-limiting.	2026-02-12 09:27:13 +01:00
David Testé	c8b19c3f10	chore(ci): update slab-github-runner action to v1.5.0 This new version improves handling of asynchronous tasks related to Slab and GitHub API.	2026-02-11 13:59:49 +01:00
Agnes Leroy	7408ca1126	chore(gpu): add fallback for 4-l40 in CI	2026-02-11 13:59:49 +01:00
Arthur Meyre	8712746296	chore: bump TFHE-rs to 1.5.3	2026-02-11 13:59:49 +01:00
Arthur Meyre	271644f482	chore: bump tfhe-cuda-backend to 0.13.2	2026-02-11 13:59:49 +01:00
Arthur Meyre	5a7650a2de	chore: revert backward compatibility change - this change should not have been needed and poses risks for backward compatibility - HL CUDA: use dedicated type for the ReRand	2026-02-11 13:59:49 +01:00
Guillermo Oyarzun	a3a5b6fe40	fix(gpu): avoid unspecified behavior during the reduction	2026-02-11 13:55:47 +01:00
Pedro Alves	2210d637c4	fix(gpu): remove unused number_bits_to_unpack initialization in host_extract	2026-02-09 17:03:09 +01:00
Pedro Alves	1e5a38acb0	fix(gpu): assert all items have same shape in from_vec_cuda_lwe_ciphertexts_list	2026-02-09 17:03:09 +01:00
Pedro Alves	f6b08c45e9	fix(gpu): assert exactly one element in CudaLweCiphertextList::into_lwe_ciphertext	2026-02-09 17:03:09 +01:00
Pedro Alves	6145f6b680	fix(gpu): use lwe_compact_ciphertext_list_size for validation in CudaLweCompactCiphertextList::from_d_vec	2026-02-09 17:03:09 +01:00
Agnes Leroy	0d6602df84	chore(gpu): improve checks in device code	2026-02-09 17:03:09 +01:00
Agnes Leroy	a006d5d71f	fix(gpu): fix logic in lwe ciphertext list	2026-02-09 17:03:09 +01:00
Pedro Alves	a7c5f2dbf8	chore(gpu): replaces (a + b - 1) / b patterns in the cuda backend by CEIL_DIV - also, this commit renames kernel_dimensions.cuh to helper.cuh and copies the content of the older helper.cuh into helper_debug.cuh	2026-02-09 17:03:09 +01:00
Agnes Leroy	0816c331c5	chore(gpu): add some missing checks in core crypto	2026-02-09 17:03:09 +01:00
Agnes Leroy	89df44917b	chore(gpu): cleanup device.cu binding, remove _async fuinctions from core crypto	2026-02-09 17:03:09 +01:00
Guillermo Oyarzun	b218c98194	fix(gpu): clean unused variables in specialized classical pbs	2026-02-09 17:03:09 +01:00
Andrei Stoian	2355cf4d89	fix(gpu): valgrind error on leaks	2026-02-09 17:03:09 +01:00
Guillermo Oyarzun	3b793273cf	feat(gpu): create different threshold for multi-gpu pbs128	2026-02-09 17:03:09 +01:00
Guillermo Oyarzun	d3b52d92cb	fix(gpu): fix race condition in tbc implementations	2026-02-09 17:03:09 +01:00
Guillermo Oyarzun	af7d69e16c	feat(gpu): avoid register spilling memory in ff128	2026-02-09 17:03:09 +01:00
Guillermo Oyarzun	6bb211f2fd	feat(gpu): use 512 threads for pbs128 flavors	2026-02-09 17:03:09 +01:00
Agnes Leroy	0fcce501a2	fix(gpu): fix small cpu memory leak	2026-02-09 17:03:09 +01:00
Agnes Leroy	204555e11c	fix(gpu): fix noise level in match value	2026-02-09 17:03:09 +01:00
Arthur Meyre	b00e8bafe5	chore: bump TFHE-rs to version 1.5.2	2026-02-09 13:05:01 +01:00
Arthur Meyre	140a780bb6	chore: bump tfhe-cuda-backend to 0.13.1	2026-02-09 13:05:01 +01:00
Thomas Montaigu	e646130324	chore: move shortint expanded types into shortint mod The expanded types definitions were in the high level API as it was originally related to the XofKeySet feature. However, since it's now used even in non-xof setting we decided to move these types to shortint module where they conceptually belong	2026-02-09 09:14:25 +01:00
Thomas Montaigu	f79204e23e	feat(hlapi): add is_conformant for CompressedXofKeySet	2026-02-09 09:14:25 +01:00
Thomas Montaigu	b6b24f4fb9	fix(xofkeyset): generate multibit decompression key when params are multibit	2026-02-09 09:14:25 +01:00
Thomas Montaigu	41621dc4e3	fix(conformance): GGSW list had wrong group count	2026-02-09 09:14:25 +01:00
Thomas Montaigu	662038da19	chore(xof_key_set): make generate_with_pre_seeded_generator public MPC teams needs to be able to generate a CompressedXofKeySet from an existing ClientKey	2026-02-09 09:14:25 +01:00
Thomas Montaigu	9d21aecae9	feat(hlapi): add decompress_to_gpu for CompressedXofKeySet Done using the newly added expand + convert pattern	2026-02-09 09:14:25 +01:00
Thomas Montaigu	58dbdf7dd4	refactor(hlapi): add IntegerExpandedServerKey::convert_to_gpu And use it to convert from CompressedServerKey to CudaServerKey.	2026-02-09 09:14:25 +01:00
Thomas Montaigu	1a7b7ace47	refactor(hlapi): split gpu key conversion in expand/convert converting from CompressedServerKey (Cpu) to CudaServerKey was done via decompress_from_cpu/decompress_to_cuda methods. We refactor to split these functions in 2: one that converts from cpu (input in std domain for bootstrap keys), the other that decompress/expand then calls convert	2026-02-09 09:14:25 +01:00
Thomas Montaigu	7797b60ef2	refactor(hlapi): add expand() method to CompressedServerKey Add an expand method to CompressedServerKey that returns an IntegerExpandedServerKey. Refactor decompress() to use the new expand() then convert_to_cpu(). This will allow later to refactor the convertion from CompressedServerKey to CudaServerKey to follow a similar pattern, meaning we will be able to share the code that converts keys from CPU to GPU between the normal server key and the xof server key	2026-02-09 09:14:25 +01:00
Thomas Montaigu	56c0a9fa5e	fix(hlapi-gpu): correct state of post decompression noise squashed ct The GPU part did not set the correct state This problem is sort of rare to encounter as generally a CompressedSquashedNoiseCiphertextList is deserialized then used. When deserialized its on the CPU, so calls to `get` use CPU code which correctly set the state. This problem is thus visible when either: - safe_deserializing and manually moving the list to GPU - deserialize - directly expanding after the creation of the list	2026-02-09 09:14:25 +01:00
Thomas Montaigu	37bcb7763d	fix(hlapi): return error when trying to expand non packed list	2026-02-09 09:14:25 +01:00
Thomas Montaigu	ae978bedc6	refactor(xof_key_set): split decompression into expansion and conversion Introduce IntegerExpandedServerKey as an intermediate representation between compressed (seeded) keys and backend-specific formats. Decompression is now a two-step process: 1. Seed expansion: decompress seeded keys into standard domain representations (e.g., LweBootstrapKey instead of FourierLweBootstrapKey) 2. Backend conversion: convert to target backend format (CPU Fourier, GPU, etc.) This separation allows sharing the expansion step across backends while specializing only the final conversion, as for this XOF based expansion the order is important Changes: - Split xof_key_set.rs into module structure (mod.rs, internal.rs, test.rs) - Add intermediate types, that contains the expanded, but not converted data	2026-02-09 09:14:25 +01:00
David Testé	43ebb14b9b	doc: fix specs description of aws hpc7a.96xlarge instance These instances have two sockets, each equipped with a 96-core CPU.	2026-02-06 12:25:07 +01:00
David Testé	641b394423	doc: add svg tables to zero-knowledge benchmarks This removes the embedded GSheet. These SVGs display more operations and inputs that reflect real-use cases. Throughput is available only for server-side computation as it's meaningless to perform multiple proof in parallele on the client-side.	2026-02-02 18:05:08 +01:00
Beka Barbakadze	72c18cc2b2	fix(gpu): add __syncthread and threadIdx condition for sample_extract_body in all pbs versions	2026-01-30 20:21:15 +01:00
Pedro Alves	71e95c435d	chore(gpu): add test for single-item compact ciphertext list expand	2026-01-30 20:21:15 +01:00
Andrei Stoian	057217b7d2	fix(gpu): more crypto param checks in cuda backend	2026-01-30 20:21:15 +01:00
Beka Barbakadze	f006039916	refactor(gpu): refactor f128 and fft128 to prevent possible precision losses and improve performance	2026-01-30 20:21:15 +01:00
Pedro Alves	69df8c0310	fix(gpu): fix some inconsistencies in decompression that could enable access of not allocated memory - also adds a diagram explaining how compression / decompression work	2026-01-30 20:21:15 +01:00
Agnes Leroy	482e49eac5	fix(gpu): add check on nullptr for dest_indexes in many lut gather	2026-01-29 15:58:18 +01:00
Guillermo Oyarzun	0dcf2ace3b	fix(gpu): handling temporary events destruction	2026-01-29 15:58:18 +01:00
Pedro Alves	0483c95941	fix(gpu): fix an invalid access in expand when the number of LWEs is odd - also improves test_expander_length_matches_data_items - adds diagrams and explanations about GPU's expand	2026-01-29 15:58:18 +01:00
Guillermo Oyarzun	f9b292ca77	fix(gpu): add panic for 32-bit Torus calls	2026-01-29 15:58:18 +01:00
Agnes Leroy	8e194c4b65	chore(gpu): fix logic to check ptr validity in device.cu	2026-01-29 15:58:18 +01:00
Agnes Leroy	f02bba151c	chore(gpu): stop trying to enable NVlink since we don't use it	2026-01-29 15:58:18 +01:00
Agnes Leroy	a477548161	chore(gpu): add comments in device.cu	2026-01-29 15:58:18 +01:00
David Testé	45a7d5217c	chore(docs): update benchmark results for all backends	2026-01-26 17:08:40 +01:00
Andrei Stoian	865c0887ee	fix(gpu): mutex lock	2026-01-26 11:20:54 +01:00
Agnes Leroy	0b9df1c8cd	doc: add erc20 benchmark results for all backends	2026-01-26 11:20:54 +01:00
Pedro Alves	cf20e337ef	fix(gpu): fix an inconsistency between CudaCompactCiphertextListExpander::len() and the CPU equivalent	2026-01-23 15:37:18 +01:00
Agnes Leroy	d7aea61eba	fix(gpu): fix potential overflow in create_on_same_gpus	2026-01-23 15:37:18 +01:00
Arthur Meyre	9352ecce54	chore: bump version to 1.5.1	2026-01-20 14:17:55 +01:00
Arthur Meyre	179b52ab26	feat: add missing raw parts APIs for shortint (Compressed)DecompressionKey	2026-01-20 14:17:55 +01:00