pub fn share_commitment(
blind: Base,
c1_x: Base,
c2_x: Base,
c1_y: Base,
c2_y: Base,
) -> BaseExpand description
Out-of-circuit per-share blinded commitment (condition 10).
Computes Poseidon(blind, c1_x, c2_x, c1_y, c2_y) for a single share.
The y-coordinates bind the commitment to the exact curve point, not just the x-coordinate. Without them, an attacker can negate the ElGamal ciphertext (flip sign bits) without invalidating the ZKP — corrupting the homomorphic tally. See: ciphertext sign-malleability fix.
The blind factor prevents anyone who sees the encrypted shares on-chain from recomputing shares_hash and linking it to a specific vote commitment.