# ZKP #3 — Vote Reveal Proof This ZKP opens a single encrypted share from a registered vote commitment, revealing the El Gamal ciphertext for homomorphic accumulation — without revealing the plaintext amount or which vote commitment the share came from. ## Public inputs * `share_nullifier` — prevents double-counting * `enc_share_c1_x` — x-coordinate of the El Gamal C1 ciphertext * `enc_share_c1_y` — y-coordinate of the El Gamal C1 ciphertext * `enc_share_c2_x` — x-coordinate of the El Gamal C2 ciphertext * `enc_share_c2_y` — y-coordinate of the El Gamal C2 ciphertext * `proposal_id` — which proposal * `vote_decision` — the voter's choice * `vote_comm_tree_root` — root of the vote commitment tree * `voting_round_id` Note: `vote_comm_tree_anchor_height` is used by the chain's ante handler to look up the correct tree root, but is not itself a circuit public input. Both coordinates of each ciphertext point are public inputs — the y-coordinates bind the proof to the exact curve point, preventing sign-malleability attacks where an adversary negates the ElGamal ciphertext without invalidating the share commitment. ## Witness (private inputs) * `vote_commitment` — the VC being opened (hidden) * `vote_comm_tree_path, vote_comm_tree_position` — Merkle proof for VC membership * `shares_hash` — hash of all 16 blinded share commitments (`share_comm_i = H(blind_i, c1_i_x, c2_i_x, c1_i_y, c2_i_y)`) * `share_index` — which of the 16 shares (0..15) * `share_comm_0, ..., share_comm_15` — all 16 blinded share commitments (to recompute `shares_hash`) * `blind` — the blind factor for the revealed share (at position `share_index`) ## Conditions ### Vote commitment membership (conditions 1-2) 1. [**Merkle Tree Membership**](/shielded-vote-docs/circuit-components/merkle-tree-membership.md) — VC exists in vote commitment tree, without revealing which one 2. [**Vote Commitment Integrity**](/shielded-vote-docs/circuit-components/vote-commitment-integrity.md) — `vote_commitment = H(DOMAIN_VC, voting_round_id, shares_hash, proposal_id, vote_decision)` ### Share opening (conditions 3-4) 3. [**Shares Hash Integrity**](/shielded-vote-docs/circuit-components/shares-hash-integrity.md) — Recomputes `shares_hash` from witness share commitments (the server receives blinded commitments, not raw ciphertexts/blinds of other shares) 4. [**Share Membership**](https://github.com/z-cale/shielded-vote-book/blob/main/circuits/share-membership.md) — `Poseidon(blind, enc_c1_x, enc_c2_x, enc_c1_y, enc_c2_y) = share_comms[share_index]` (the commitment derived from the public ciphertext and witness blind matches the committed set) ### Nullifier (condition 5) 5. [**Share Nullifier**](/shielded-vote-docs/circuit-components/share-nullifier.md) — `share_nullifier = H("share spend", vote_commitment, share_index, blind)` ## Out-of-circuit checks * `share_nullifier` not seen before * `vote_comm_tree_root` matches published root * `proposal_id` is valid * `voting_round_id` matches active round ## Who runs this This ZKP is constructed by the **submission server**, not the client. The client sends the share data as a payload; the server computes the proof and submits it at a randomized delay. See [Server-Delegated Share Submission](/shielded-vote-docs/delegation/server-delegated-shares.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://valargroup.gitbook.io/shielded-vote-docs/zkp-specifications/zkp3-vote-reveal-proof.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.