Function share_commitment 

pub fn share_commitment(
    blind: Base,
    c1_x: Base,
    c2_x: Base,
    c1_y: Base,
    c2_y: Base,
) -> Base

Out-of-circuit per-share blinded commitment.

The y-coordinates bind the commitment to the exact curve point, not just the x-coordinate. Without them, an attacker can negate the El Gamal ciphertext without invalidating the ZKP and corrupt the homomorphic tally.