Struct Instance 

pub struct Instance {
    pub van_nullifier: Base,
    pub r_vpk_x: Base,
    pub r_vpk_y: Base,
    pub vote_authority_note_new: Base,
    pub vote_commitment: Base,
    pub vote_comm_tree_root: Base,
    pub vote_comm_tree_anchor_height: Base,
    pub proposal_id: Base,
    pub voting_round_id: Base,
    pub ea_pk_x: Base,
    pub ea_pk_y: Base,
}

Public inputs to the Vote Proof circuit (11 field elements).

The voting client (prover) chooses these values when assembling the proof; the verifier accepts them as the binding the proof must satisfy and checks the proof without seeing any private witnesses. The relationship is asymmetric: a malicious-custody client can choose any public-input vector it likes, so the verifier must source the correct values from authenticated chain state (see crate::vote_proof::prove::verify_vote_proof for which fields require caller authentication versus which are proof-attested outputs).

Binding contract: shares_hash is deliberately absent from this public instance vector. The circuit computes it as an internal condition-10 cell and exposes it to the verifier only through vote_commitment.

Fields

van_nullifier: Base

The nullifier of the old VAN being spent (prevents double-vote).

r_vpk_x: Base

Randomized voting public key (condition 4): x-coordinate of r_vpk = vsk.ak + [alpha_v] * G.

r_vpk_y: Base

Randomized voting public key: y-coordinate.

vote_authority_note_new: Base

The new VAN commitment (with decremented proposal authority).

vote_commitment: Base

The vote commitment hash.

vote_comm_tree_root: Base

Root of the vote commitment tree at anchor height.

vote_comm_tree_anchor_height: Base

Caller-authenticated chain height used to source vote_comm_tree_root.

This public input is transcript-bound but not constrained to a witness cell. Verifiers must check that vote_comm_tree_root is the chain root at this height.

proposal_id: Base

Governance session parameter: which proposal this vote is for.

The circuit constrains this to [1, 15] through condition 6 and binds it into the new VAN and vote commitment. The verifier must separately check that it is active for voting_round_id.

voting_round_id: Base

Governance session parameter: the voting round identifier.

The circuit binds this into the VAN nullifier, new VAN, and vote commitment, but cannot authenticate that it is the active round.

ea_pk_x: Base

Governance-announced election authority public key x-coordinate.

The verifier must pin this from the active round’s governance announcement. The circuit proves encryption under this coordinate pair, but cannot authenticate that it is the legitimate EA key.

ea_pk_y: Base

Governance-announced election authority public key y-coordinate.

Must be authenticated with ea_pk_x; both coordinates are public so a prover cannot substitute a negated curve point while preserving x.

Implementations

impl Instance

pub const NUM_PUBLIC_INPUTS: usize = 11

Number of public inputs serialized by Self::to_halo2_instance.

pub fn from_parts( van_nullifier: Base, r_vpk_x: Base, r_vpk_y: Base, vote_authority_note_new: Base, vote_commitment: Base, vote_comm_tree_root: Base, vote_comm_tree_anchor_height: Base, proposal_id: Base, voting_round_id: Base, ea_pk_x: Base, ea_pk_y: Base, ) -> Self

Constructs an Instance from its constituent parts.

Callers should authenticate vote_comm_tree_root, vote_comm_tree_anchor_height, proposal_id, voting_round_id, ea_pk_x, and ea_pk_y out-of-band before passing them here. proposal_id must be active for voting_round_id; the circuit only checks the authority-bit index range. The EA key must come from the active round’s governance announcement, not from the prover bundle. See crate::vote_proof::prove::verify_vote_proof for the trust contract and why wiring ea_pk_* from the same bundle as the proof is a custody-attack surface. The remaining fields are proof-attested outputs derived outside the circuit but constrained in-circuit against authenticated inputs and private witnesses.

pub fn to_halo2_instance(&self) -> Vec<Scalar>

Serializes public inputs for halo2 proof creation/verification.

The order must match the instance column offsets defined at the top of this file (VAN_NULLIFIER_PUBLIC_OFFSET, R_VPK_X_PUBLIC_OFFSET, R_VPK_Y_PUBLIC_OFFSET, etc.).

Trait Implementations

impl Clone for Instance

fn clone(&self) -> Instance

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Instance

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.