@maci-protocol/circuits 0.0.0-ci.38c76f2 → 0.0.0-ci.3a64a23

package/circom/coordinator/full/MessageProcessor.circom

@@ -33,14 +33,6 @@ include "./SingleMessageProcessor.circom";
     var PACKED_COMMAND_LENGTH = 4;
     var STATE_LEAF_LENGTH = 3;
     var BALLOT_LENGTH = 2;
-    var BALLOT_NONCE_INDEX = 0;
-    var BALLOT_VOTE_OPTION_ROOT_INDEX = 1;
-    var STATE_LEAF_PUBLIC_X_INDEX = 0;
-    var STATE_LEAF_PUBLIC_Y_INDEX = 1;
-    var STATE_LEAF_VOICE_CREDIT_BALANCE_INDEX = 2;
-    var MESSAGE_TREE_ZERO_VALUE = 8370432830353022751713833565135785980866757267633941821328460903436894336785;
-    // Number of options for this poll.
-    var maxVoteOptions = VOTE_OPTION_TREE_ARITY ** voteOptionTreeDepth;
 
     // Number of users that have completed the sign up.
     signal input totalSignups;
@@ -57,7 +49,7 @@ include "./SingleMessageProcessor.circom";
     // The current state root (before the processing).
     signal input currentStateRoot;
     // The actual tree depth (might be <= stateTreeDepth).
-    // @note it is a public input to ensure fair processing from 
+    // @note it is a public input to ensure fair processing from
     // the coordinator (no censoring)
     signal input actualStateTreeDepth;
     // The coordinator public key hash
@@ -97,7 +89,7 @@ include "./SingleMessageProcessor.circom";
 
     // The index of the first message in the batch, inclusive.
     signal input index;
-    
+
     // The index of the last message in the batch to process, exclusive.
     // This value may be less than index + batchSize if this batch is
     // the last batch and the total number of messages is not a multiple of the batch size.
@@ -112,7 +104,7 @@ include "./SingleMessageProcessor.circom";
     var computedCurrentSbCommitment = PoseidonHasher(3)([currentStateRoot, currentBallotRoot, currentSbSalt]);
     computedCurrentSbCommitment === currentSbCommitment;
 
-    //  ----------------------------------------------------------------------- 
+    //  -----------------------------------------------------------------------
     // 0. Ensure that the maximum vote options signal is valid and if
     // the maximum users signal is valid
     var voteOptionsValid = LessEqThan(32)([voteOptions, VOTE_OPTION_TREE_ARITY ** voteOptionTreeDepth]);
@@ -162,7 +154,7 @@ include "./SingleMessageProcessor.circom";
 
     // Decrypt each Message into a Command.
     // The command i-th is composed by the following fields.
-    // e.g., command 0 is made of commandsStateIndex[0], 
+    // e.g., command 0 is made of commandsStateIndex[0],
     // commandsNewPublicKey[0], ..., commandsPackedCommandOut[0]
     var computedCommandsStateIndex[batchSize];
     var computedCommandsNewPublicKey[batchSize][2];
@@ -205,7 +197,7 @@ include "./SingleMessageProcessor.circom";
         var computedCurrentStateLeavesPathElements[stateTreeDepth][STATE_TREE_ARITY - 1];
         var computedCurrentBallotPathElements[stateTreeDepth][STATE_TREE_ARITY - 1];
         var computedCurrentVoteWeightsPathElements[voteOptionTreeDepth][VOTE_OPTION_TREE_ARITY - 1];
-        
+
         for (var j = 0; j < stateTreeDepth; j++) {
             for (var k = 0; k < STATE_TREE_ARITY - 1; k++) {
                 computedCurrentStateLeavesPathElements[j][k] = currentStateLeavesPathElements[i][j][k];

package/circom/coordinator/full/SingleMessageProcessor.circom

@@ -5,7 +5,6 @@ include "./mux1.circom";
 // local imports
 include "../../utils/PoseidonHasher.circom";
 include "../../utils/trees/MerkleTreeInclusionProof.circom";
-include "../../utils/trees/MerklePathIndicesGenerator.circom";
 include "../../utils/trees/BinaryMerkleRoot.circom";
 include "../../utils/trees/QuinaryTreeInclusionProof.circom";
 include "../../utils/trees/QuinaryGeneratePathIndices.circom";
@@ -112,14 +111,13 @@ template SingleMessageProcessorFull(stateTreeDepth, voteOptionTreeDepth) {
     // 2. If computedIsStateLeafIndexValid is equal to zero, generate indices for leaf zero.
     // Otherwise, generate indices for command.stateIndex.
     var stateIndexMux = Mux1()([0, commandStateIndex], computedIsStateLeafIndexValid);
-    var computedStateLeafPathIndices[stateTreeDepth] = MerklePathIndicesGenerator(stateTreeDepth)(stateIndexMux);
 
     // 3. Verify that the original state leaf exists in the given state root.
     var stateLeafHash = PoseidonHasher(3)(stateLeaf);
     var computedStateRoot = BinaryMerkleRoot(stateTreeDepth)(
         stateLeafHash,
         actualStateTreeDepth,
-        computedStateLeafPathIndices,
+        stateIndexMux,
         stateLeafPathElements
     );
 
@@ -130,6 +128,7 @@ template SingleMessageProcessorFull(stateTreeDepth, voteOptionTreeDepth) {
         ballot[BALLOT_NONCE_INDEX], 
         ballot[BALLOT_VOTE_OPTION_ROOT_INDEX]
     ]);
+    var computedStateLeafPathIndices[stateTreeDepth] = Num2Bits(stateTreeDepth)(stateIndexMux);
 
     var computedBallotRoot = MerkleTreeInclusionProof(stateTreeDepth)(
         computedBallot,
@@ -186,7 +185,7 @@ template SingleMessageProcessorFull(stateTreeDepth, voteOptionTreeDepth) {
     var computedNewStateRoot = BinaryMerkleRoot(stateTreeDepth)(
         computedNewStateLeafhash,
         actualStateTreeDepth,
-        computedStateLeafPathIndices,
+        stateIndexMux,
         stateLeafPathElements
     );
 

package/circom/coordinator/non-qv/MessageProcessor.circom

@@ -33,14 +33,6 @@ include "./SingleMessageProcessor.circom";
     var PACKED_COMMAND_LENGTH = 4;
     var STATE_LEAF_LENGTH = 3;
     var BALLOT_LENGTH = 2;
-    var BALLOT_NONCE_INDEX = 0;
-    var BALLOT_VOTE_OPTION_ROOT_INDEX = 1;
-    var STATE_LEAF_PUBLIC_X_INDEX = 0;
-    var STATE_LEAF_PUBLIC_Y_INDEX = 1;
-    var STATE_LEAF_VOICE_CREDIT_BALANCE_INDEX = 2;
-    var MESSAGE_TREE_ZERO_VALUE = 8370432830353022751713833565135785980866757267633941821328460903436894336785;
-    // Number of options for this poll.
-    var maxVoteOptions = VOTE_OPTION_TREE_ARITY ** voteOptionTreeDepth;
 
     // Number of users that have completed the sign up.
     signal input totalSignups;
@@ -57,7 +49,7 @@ include "./SingleMessageProcessor.circom";
     // The current state root (before the processing).
     signal input currentStateRoot;
     // The actual tree depth (might be <= stateTreeDepth).
-    // @note it is a public input to ensure fair processing from 
+    // @note it is a public input to ensure fair processing from
     // the coordinator (no censoring)
     signal input actualStateTreeDepth;
     // The coordinator public key hash
@@ -97,7 +89,7 @@ include "./SingleMessageProcessor.circom";
 
     // The index of the first message in the batch, inclusive.
     signal input index;
-    
+
     // The index of the last message in the batch to process, exclusive.
     // This value may be less than index + batchSize if this batch is
     // the last batch and the total number of messages is not a multiple of the batch size.
@@ -112,7 +104,7 @@ include "./SingleMessageProcessor.circom";
     var computedCurrentSbCommitment = PoseidonHasher(3)([currentStateRoot, currentBallotRoot, currentSbSalt]);
     computedCurrentSbCommitment === currentSbCommitment;
 
-    //  ----------------------------------------------------------------------- 
+    //  -----------------------------------------------------------------------
     // 0. Ensure that the maximum vote options signal is valid and if
     // the maximum users signal is valid
     var voteOptionsValid = LessEqThan(32)([voteOptions, VOTE_OPTION_TREE_ARITY ** voteOptionTreeDepth]);
@@ -162,7 +154,7 @@ include "./SingleMessageProcessor.circom";
 
     // Decrypt each Message into a Command.
     // The command i-th is composed by the following fields.
-    // e.g., command 0 is made of commandsStateIndex[0], 
+    // e.g., command 0 is made of commandsStateIndex[0],
     // commandsNewPublicKey[0], ..., commandsPackedCommandOut[0]
     var computedCommandsStateIndex[batchSize];
     var computedCommandsNewPublicKey[batchSize][2];
@@ -205,7 +197,7 @@ include "./SingleMessageProcessor.circom";
         var computedCurrentStateLeavesPathElements[stateTreeDepth][STATE_TREE_ARITY - 1];
         var computedCurrentBallotPathElements[stateTreeDepth][STATE_TREE_ARITY - 1];
         var computedCurrentVoteWeightsPathElements[voteOptionTreeDepth][VOTE_OPTION_TREE_ARITY - 1];
-        
+
         for (var j = 0; j < stateTreeDepth; j++) {
             for (var k = 0; k < STATE_TREE_ARITY - 1; k++) {
                 computedCurrentStateLeavesPathElements[j][k] = currentStateLeavesPathElements[i][j][k];

package/circom/coordinator/non-qv/SingleMessageProcessor.circom

@@ -5,7 +5,6 @@ include "./mux1.circom";
 // local imports
 include "../../utils/PoseidonHasher.circom";
 include "../../utils/trees/MerkleTreeInclusionProof.circom";
-include "../../utils/trees/MerklePathIndicesGenerator.circom";
 include "../../utils/trees/BinaryMerkleRoot.circom";
 include "../../utils/trees/QuinaryTreeInclusionProof.circom";
 include "../../utils/trees/QuinaryGeneratePathIndices.circom";
@@ -13,10 +12,10 @@ include "../../utils/non-qv/StateLeafAndBallotTransformer.circom";
 
 
 /**
- * Processes one message and updates the state accordingly. 
- * This template involves complex interactions, including transformations based on message type, 
- * validations against current states like voice credit balances or vote weights, 
- * and updates to Merkle trees representing state and ballot information. 
+ * Processes one message and updates the state accordingly.
+ * This template involves complex interactions, including transformations based on message type,
+ * validations against current states like voice credit balances or vote weights,
+ * and updates to Merkle trees representing state and ballot information.
  * This is a critical building block for ensuring the integrity and correctness of MACI state.
  * This template does not support Quadratic Voting (QV).
  */
@@ -24,7 +23,6 @@ template SingleMessageProcessorNonQv(stateTreeDepth, voteOptionTreeDepth) {
     // Constants defining the structure and size of state and ballots.
     var STATE_LEAF_LENGTH = 3;
     var BALLOT_LENGTH = 2;
-    var MESSAGE_LENGTH = 10;
     var PACKED_COMMAND_LENGTH = 4;
     var VOTE_OPTION_TREE_ARITY = 5;
     var STATE_TREE_ARITY = 2;
@@ -38,7 +36,6 @@ template SingleMessageProcessorNonQv(stateTreeDepth, voteOptionTreeDepth) {
     var STATE_LEAF_PUBLIC_Y_INDEX = 1;
     // Voice Credit balance.
     var STATE_LEAF_VOICE_CREDIT_BALANCE_INDEX = 2;
-    var NUMBER_BITS = 252;
 
     // Number of users that have completed the sign up.
     signal input totalSignups;
@@ -108,14 +105,13 @@ template SingleMessageProcessorNonQv(stateTreeDepth, voteOptionTreeDepth) {
     // 2. If computedIsStateLeafIndexValid is equal to zero, generate indices for leaf zero.
     // Otherwise, generate indices for command.stateIndex.
     var stateIndexMux = Mux1()([0, commandStateIndex], computedIsStateLeafIndexValid);
-    var computedStateLeafPathIndices[stateTreeDepth] = MerklePathIndicesGenerator(stateTreeDepth)(stateIndexMux);
 
     // 3. Verify that the original state leaf exists in the given state root.
     var stateLeafHash = PoseidonHasher(3)(stateLeaf);
     var stateLeafQip = BinaryMerkleRoot(stateTreeDepth)(
         stateLeafHash,
         actualStateTreeDepth,
-        computedStateLeafPathIndices,
+        stateIndexMux,
         stateLeafPathElements
     );
 
@@ -123,9 +119,10 @@ template SingleMessageProcessorNonQv(stateTreeDepth, voteOptionTreeDepth) {
 
     // 4. Verify that the original ballot exists in the given ballot root.
     var computedBallot = PoseidonHasher(2)([
-        ballot[BALLOT_NONCE_INDEX], 
+        ballot[BALLOT_NONCE_INDEX],
         ballot[BALLOT_VOTE_OPTION_ROOT_INDEX]
     ]);
+    var computedStateLeafPathIndices[stateTreeDepth] = Num2Bits(stateTreeDepth)(stateIndexMux);
 
     var computedBallotQip = MerkleTreeInclusionProof(stateTreeDepth)(
         computedBallot,
@@ -182,13 +179,13 @@ template SingleMessageProcessorNonQv(stateTreeDepth, voteOptionTreeDepth) {
     var computedNewStateLeafQip = BinaryMerkleRoot(stateTreeDepth)(
         computedNewStateLeafHash,
         actualStateTreeDepth,
-        computedStateLeafPathIndices,
+        stateIndexMux,
         stateLeafPathElements
     );
 
     newStateRoot <== computedNewStateLeafQip;
- 
-    // 7. Generate a new ballot root.    
+
+    // 7. Generate a new ballot root.
     var computedNewBallot = PoseidonHasher(2)([computedNewBallotNonce, newBallotVoteOptionRoot]);
     var computedNewBallotQip = MerkleTreeInclusionProof(stateTreeDepth)(
         computedNewBallot,

package/circom/coordinator/non-qv/VoteTally.circom

@@ -7,7 +7,6 @@ include "./unpack-element.circom";
 // local imports
 include "../../utils/non-qv/ResultCommitmentVerifier.circom";
 include "../../utils/trees/CheckRoot.circom";
-include "../../utils/trees/MerklePathIndicesGenerator.circom";
 include "../../utils/trees/LeafExists.circom";
 include "../../utils/trees/QuinaryCheckRoot.circom";
 include "../../utils/CalculateTotal.circom";
@@ -97,7 +96,7 @@ template VoteTallyNonQv(
     }
 
     var computedBallotSubroot = CheckRoot(tallyProcessingStateTreeDepth)(computedBallotHashers);
-    var computedBallotPathIndices[STATE_TREE_DEPTH_DIFFERENCE] = MerklePathIndicesGenerator(STATE_TREE_DEPTH_DIFFERENCE)(index / batchSize);
+    var computedBallotPathIndices[STATE_TREE_DEPTH_DIFFERENCE] = Num2Bits(STATE_TREE_DEPTH_DIFFERENCE)(index / batchSize); 
 
     // Verifies each ballot's existence within the ballot tree.
     LeafExists(STATE_TREE_DEPTH_DIFFERENCE)(

package/circom/coordinator/qv/MessageProcessor.circom

@@ -34,14 +34,6 @@ template MessageProcessorQv(
     var PACKED_COMMAND_LENGTH = 4;
     var STATE_LEAF_LENGTH = 3;
     var BALLOT_LENGTH = 2;
-    var BALLOT_NONCE_INDEX = 0;
-    var BALLOT_VOTE_OPTION_ROOT_INDEX = 1;
-    var STATE_LEAF_PUBLIC_X_INDEX = 0;
-    var STATE_LEAF_PUBLIC_Y_INDEX = 1;
-    var STATE_LEAF_VOICE_CREDIT_BALANCE_INDEX = 2;
-    var MESSAGE_TREE_ZERO_VALUE = 8370432830353022751713833565135785980866757267633941821328460903436894336785;
-    // Number of options for this poll.
-    var maxVoteOptions = VOTE_OPTION_TREE_ARITY ** voteOptionTreeDepth;
 
     // Number of users that have completed the sign up.
     signal input totalSignups;
@@ -58,7 +50,7 @@ template MessageProcessorQv(
     // The current state root (before the processing).
     signal input currentStateRoot;
     // The actual tree depth (might be <= stateTreeDepth).
-    // @note it is a public input to ensure fair processing from 
+    // @note it is a public input to ensure fair processing from
     // the coordinator (no censoring)
     signal input actualStateTreeDepth;
     // The coordinator public key hash
@@ -98,7 +90,7 @@ template MessageProcessorQv(
 
     // The index of the first message in the batch, inclusive.
     signal input index;
-    
+
     // The index of the last message in the batch to process, exclusive.
     // This value may be less than batchSize if this batch is
     // the last batch and the total number of messages is not a multiple of the batch size.
@@ -160,7 +152,7 @@ template MessageProcessorQv(
 
     // Decrypt each Message into a Command.
     // The command i-th is composed by the following fields.
-    // e.g., command 0 is made of commandsStateIndex[0], 
+    // e.g., command 0 is made of commandsStateIndex[0],
     // commandsNewPublicKey[0], ..., commandsPackedCommandOut[0]
     var computedCommandsStateIndex[batchSize];
     var computedCommandsNewPublicKey[batchSize][2];
@@ -203,7 +195,7 @@ template MessageProcessorQv(
         var computedCurrentStateLeavesPathElements[stateTreeDepth][STATE_TREE_ARITY - 1];
         var computedCurrentBallotPathElements[stateTreeDepth][STATE_TREE_ARITY - 1];
         var computedCurrentVoteWeightsPathElements[voteOptionTreeDepth][VOTE_OPTION_TREE_ARITY - 1];
-        
+
         for (var j = 0; j < stateTreeDepth; j++) {
             for (var k = 0; k < STATE_TREE_ARITY - 1; k++) {
                 computedCurrentStateLeavesPathElements[j][k] = currentStateLeavesPathElements[i][j][k];
@@ -216,7 +208,7 @@ template MessageProcessorQv(
                 computedCurrentVoteWeightsPathElements[j][k] = currentVoteWeightsPathElements[i][j][k];
             }
         }
-        
+
         (computedNewVoteStateRoot[i], computedNewVoteBallotRoot[i]) = SingleMessageProcessorQv(stateTreeDepth, voteOptionTreeDepth)(
             totalSignups,
             stateRoots[i + 1],

package/circom/coordinator/qv/SingleMessageProcessor.circom

@@ -5,17 +5,16 @@ include "./mux1.circom";
 // local imports
 include "../../utils/PoseidonHasher.circom";
 include "../../utils/trees/MerkleTreeInclusionProof.circom";
-include "../../utils/trees/MerklePathIndicesGenerator.circom";
 include "../../utils/trees/BinaryMerkleRoot.circom";
 include "../../utils/trees/QuinaryTreeInclusionProof.circom";
 include "../../utils/trees/QuinaryGeneratePathIndices.circom";
 include "../../utils/qv/StateLeafAndBallotTransformer.circom";
 
 /**
- * Processes one message and updates the state accordingly. 
- * This template involves complex interactions, including transformations based on message type, 
- * validations against current states like voice credit balances or vote weights, 
- * and updates to Merkle trees representing state and ballot information. 
+ * Processes one message and updates the state accordingly.
+ * This template involves complex interactions, including transformations based on message type,
+ * validations against current states like voice credit balances or vote weights,
+ * and updates to Merkle trees representing state and ballot information.
  * This is a critical building block for ensuring the integrity and correctness of MACI state.
  * This template supports the Quadratic Voting (QV).
  */
@@ -23,7 +22,6 @@ template SingleMessageProcessorQv(stateTreeDepth, voteOptionTreeDepth) {
     // Constants defining the structure and size of state and ballots.
     var STATE_LEAF_LENGTH = 3;
     var BALLOT_LENGTH = 2;
-    var MESSAGE_LENGTH = 10;
     var PACKED_COMMAND_LENGTH = 4;
     var VOTE_OPTION_TREE_ARITY = 5;
     var STATE_TREE_ARITY = 2;
@@ -37,7 +35,6 @@ template SingleMessageProcessorQv(stateTreeDepth, voteOptionTreeDepth) {
     var STATE_LEAF_PUBLIC_Y_INDEX = 1;
     // Voice Credit balance.
     var STATE_LEAF_VOICE_CREDIT_BALANCE_INDEX = 2;
-    var NUMBER_BITS = 252;
 
     // Number of users that have completed the sign up.
     signal input totalSignups;
@@ -112,14 +109,13 @@ template SingleMessageProcessorQv(stateTreeDepth, voteOptionTreeDepth) {
     // 2. If computedIsStateLeafIndexValid is equal to zero, generate indices for leaf zero.
     // Otherwise, generate indices for command.stateIndex.
     var stateIndexMux = Mux1()([0, commandStateIndex], computedIsStateLeafIndexValid);
-    var computedStateLeafPathIndices[stateTreeDepth] = MerklePathIndicesGenerator(stateTreeDepth)(stateIndexMux);
 
     // 3. Verify that the original state leaf exists in the given state root.
     var stateLeafHash = PoseidonHasher(3)(stateLeaf);
     var stateLeafQip = BinaryMerkleRoot(stateTreeDepth)(
         stateLeafHash,
         actualStateTreeDepth,
-        computedStateLeafPathIndices,
+        stateIndexMux,
         stateLeafPathElements
     );
 
@@ -127,9 +123,10 @@ template SingleMessageProcessorQv(stateTreeDepth, voteOptionTreeDepth) {
 
     // 4. Verify that the original ballot exists in the given ballot root.
     var computedBallot = PoseidonHasher(2)([
-        ballot[BALLOT_NONCE_INDEX], 
+        ballot[BALLOT_NONCE_INDEX],
         ballot[BALLOT_VOTE_OPTION_ROOT_INDEX]
     ]);
+    var computedStateLeafPathIndices[stateTreeDepth] = Num2Bits(stateTreeDepth)(stateIndexMux);
 
     var computedBallotQip = MerkleTreeInclusionProof(stateTreeDepth)(
         computedBallot,
@@ -189,13 +186,13 @@ template SingleMessageProcessorQv(stateTreeDepth, voteOptionTreeDepth) {
     var computedNewStateLeafQip = BinaryMerkleRoot(stateTreeDepth)(
         computedNewStateLeafHash,
         actualStateTreeDepth,
-        computedStateLeafPathIndices,
+        stateIndexMux,
         stateLeafPathElements
     );
 
     newStateRoot <== computedNewStateLeafQip;
- 
-    // 7. Generate a new ballot root.    
+
+    // 7. Generate a new ballot root.
     var computedNewBallot = PoseidonHasher(2)([computedNewBallotNonce, newBallotVoteOptionRoot]);
     var computedNewBallotQip = MerkleTreeInclusionProof(stateTreeDepth)(
         computedNewBallot,
@@ -205,4 +202,3 @@ template SingleMessageProcessorQv(stateTreeDepth, voteOptionTreeDepth) {
 
     newBallotRoot <== computedNewBallotQip;
 }
-

package/circom/coordinator/qv/VoteTally.circom

@@ -6,7 +6,6 @@ include "./comparators.circom";
 include "./unpack-element.circom";
 // local imports
 include "../../utils/trees/CheckRoot.circom";
-include "../../utils/trees/MerklePathIndicesGenerator.circom";
 include "../../utils/trees/LeafExists.circom";
 include "../../utils/trees/QuinaryCheckRoot.circom";
 include "../../utils/qv/ResultCommitmentVerifier.circom";
@@ -102,7 +101,7 @@ template VoteTallyQv(
     }
 
     var computedBallotSubroot = CheckRoot(tallyProcessingStateTreeDepth)(computedBallotHashers);
-    var computedBallotPathIndices[STATE_TREE_DEPTH_DIFFERENCE] = MerklePathIndicesGenerator(STATE_TREE_DEPTH_DIFFERENCE)(index / batchSize);
+    var computedBallotPathIndices[STATE_TREE_DEPTH_DIFFERENCE] = Num2Bits(STATE_TREE_DEPTH_DIFFERENCE)(index / batchSize);
 
     // Verifies each ballot's existence within the ballot tree.
     LeafExists(STATE_TREE_DEPTH_DIFFERENCE)(

package/circom/coordinator/qv/VoteTallyWithIndividualCounts.circom

@@ -6,7 +6,6 @@ include "./comparators.circom";
 include "./unpack-element.circom";
 // local imports
 include "../../utils/trees/CheckRoot.circom";
-include "../../utils/trees/MerklePathIndicesGenerator.circom";
 include "../../utils/trees/LeafExists.circom";
 include "../../utils/trees/QuinaryCheckRoot.circom";
 include "../../utils/qv/ResultCommitmentVerifier.circom";
@@ -129,10 +128,10 @@ template VoteTallyWithIndividualCountsQv(
     }
 
     var computedBallotSubroot = CheckRoot(tallyProcessingStateTreeDepth)(computedBallotHashers);
-    var computedBallotPathIndices[STATE_TREE_DEPTH_DIFFERENCE] = MerklePathIndicesGenerator(STATE_TREE_DEPTH_DIFFERENCE)(index / ballotBatchSize);
+    var computedBallotPathIndices[STATE_TREE_DEPTH_DIFFERENCE] = Num2Bits(STATE_TREE_DEPTH_DIFFERENCE)(index / ballotBatchSize);
 
     var computedVoteCountsSubroot = CheckRoot(tallyProcessingStateTreeDepth)(computedVoteCountsHashers);
-    var computedVoteCountsPathIndices[STATE_TREE_DEPTH_DIFFERENCE] = MerklePathIndicesGenerator(STATE_TREE_DEPTH_DIFFERENCE)(index / voteCountsBatchSize);
+    var computedVoteCountsPathIndices[STATE_TREE_DEPTH_DIFFERENCE] = Num2Bits(STATE_TREE_DEPTH_DIFFERENCE)(index / voteCountsBatchSize);
 
     // Verifies each ballot's existence within the ballot tree.
     LeafExists(STATE_TREE_DEPTH_DIFFERENCE)(

package/circom/utils/EdDSAPoseidonVerifier.circom

@@ -9,6 +9,7 @@ include "./escalarmulany.circom";
 include "./escalarmulfix.circom";
 // local imports
 include "./PoseidonHasher.circom";
+include "./IsOnCurve.circom";
 
 /**
  * Variant of the EdDSAPoseidonVerifier template from circomlib
@@ -37,9 +38,13 @@ template EdDSAPoseidonVerifier() {
     // Output signal for the validity of the signature.
     signal output isValid;
 
+    // Verify the public key and signature point are on the BabyJubJub curve.
+    var computedIsPkOnCurve = IsOnCurve()(publicKeyX, publicKeyY);
+    var computedIsSpOnCurve = IsOnCurve()(signaturePointX, signaturePointY);
+
     // Ensure signatureScalar<Subgroup Order.
     // convert the signature scalar signatureScalar into its binary representation.
-    var computedNum2Bits[254] = Num2Bits(254)(signatureScalar);
+    var computedNum2Bits[254] = Num2Bits_strict()(signatureScalar);
 
     var computedCompConstantIn[254] = computedNum2Bits;
     computedCompConstantIn[253] = 0;
@@ -82,10 +87,10 @@ template EdDSAPoseidonVerifier() {
     // Components to handle edge cases and ensure that all conditions 
     // for a valid signature are met, including the 
     // public key not being zero and other integrity checks.
-    var computedIsAxZero = IsZero()(publicKeyX);
+    var computedIsAxZero = IsZero()(computedDouble3XOut);
     var computedIsAxEqual = IsEqual()([computedIsAxZero, 0]);
     var computedIsCcZero = IsZero()(computedCompConstant);
-    var computedIsValid = IsEqual()([computedIsLeftRightValid + computedIsAxEqual + computedIsCcZero, 3]);
+    var computedIsValid = IsEqual()([computedIsLeftRightValid + computedIsAxEqual + computedIsCcZero + computedIsPkOnCurve + computedIsSpOnCurve, 5]);
 
     isValid <== computedIsValid;
 }

package/circom/utils/IsOnCurve.circom

@@ -0,0 +1,40 @@
+pragma circom 2.0.0;
+
+// zk-kit imports
+include "./comparators.circom";
+
+/**
+ * Returns 0 or 1 depending on if the point is on the BabyJubJub curve or not. The point is on the
+ * BabyJubJub curve if the following equation is true: a*x^2 + y^2 == 1 + d*x^2*y^2
+ * This template is identical to the BabyCheck template from circomlib, but it returns 0 or 1
+ * instead of having a hard constraint.
+ * Based on: https://github.com/iden3/circomlib/blob/master/circuits/babyjub.circom
+ */
+template IsOnCurve() {
+    // x coordinate of the point on the BabyJubJub curve.
+    signal input x;
+    // y coordinate of the point on the BabyJubJub curve.
+    signal input y;
+    // True when the point (x, y) satisfies the BabyJubJub curve equation.
+    signal output isValid;
+
+    // x^2 and y^2 intermediate values.
+    signal x2;
+    signal y2;
+    // x^2 * y^2 intermediate value.
+    signal x2y2;
+
+    // BabyJubJub curve parameters.
+    var a = 168700;
+    var d = 168696;
+
+    // Compute x^2 and y^2.
+    x2 <== x * x;
+    y2 <== y * y;
+
+    // Compute x^2 * y^2.
+    x2y2 <== x2 * y2;
+
+    // Check if a*x^2 + y^2 == 1 + d*x^2*y^2.
+    isValid <== IsEqual()([a * x2 + y2, 1 + d * x2y2]);
+}

package/circom/utils/full/StateLeafAndBallotTransformer.circom

@@ -119,4 +119,9 @@ template StateLeafAndBallotTransformerFull() {
     isValid <== computedIsValid;
     isStateLeafIndexValid <== computedIsStateLeafIndexValid;
     isVoteOptionIndexValid <== computedIsVoteOptionIndexValid;
+
+    // Constrain commandPollId and commandSalt using dummy squares.
+    // This binds the proof to a specific poll and salt.
+    signal commandPollIdSquare <== commandPollId * commandPollId;
+    signal commandSaltSquared <== commandSalt * commandSalt;
 }

package/circom/utils/non-qv/StateLeafAndBallotTransformer.circom

@@ -102,4 +102,9 @@ template StateLeafAndBallotTransformerNonQv() {
     isValid <== computedIsValid;
     isStateLeafIndexValid <== computedIsStateLeafIndexValid;
     isVoteOptionIndexValid <== computedIsVoteOptionIndexValid;
+
+    // Constrain commandPollId and commandSalt using dummy squares.
+    // This binds the proof to a specific poll and salt.
+    signal commandPollIdSquare <== commandPollId * commandPollId;
+    signal commandSaltSquared <== commandSalt * commandSalt;
 }

package/circom/utils/qv/StateLeafAndBallotTransformer.circom

@@ -102,4 +102,9 @@ template StateLeafAndBallotTransformer() {
     isValid <== computedIsValid;
     isStateLeafIndexValid <== computedIsStateLeafIndexValid;
     isVoteOptionIndexValid <== computedIsVoteOptionIndexValid;
+
+    // Constrain commandPollId and commandSalt using dummy squares.
+    // This binds the proof to a specific poll and salt.
+    signal commandPollIdSquare <== commandPollId * commandPollId;
+    signal commandSaltSquared <== commandSalt * commandSalt;
 }

package/circom/utils/trees/BinaryMerkleRoot.circom

@@ -25,14 +25,17 @@ template BinaryMerkleRoot(MAX_DEPTH) {
     signal input leaf;
     // The depth of the Merkle tree.
     signal input depth;
-    // The indices of the leaf node in the Merkle tree.
-    signal input indices[MAX_DEPTH];
+    // The index of the leaf node in the Merkle tree.
+    signal input index;
     // The sibling nodes of the leaf node in the Merkle tree.
     signal input siblings[MAX_DEPTH][1];
 
     // The output of the Merkle tree root.
     signal output out;
 
+    // The indices of the leaf node in the Merkle tree.
+    signal indices[MAX_DEPTH] <== Num2Bits(MAX_DEPTH)(index);
+
     signal nodes[MAX_DEPTH + 1];
     nodes[0] <== leaf;
 

package/circom/voter/PollJoined.circom

@@ -19,8 +19,8 @@ template PollJoined(stateTreeDepth) {
     signal input voiceCreditsBalance;
     // Path elements
     signal input pathElements[stateTreeDepth][STATE_TREE_ARITY - 1];
-    // Path indices
-    signal input pathIndices[stateTreeDepth];
+    // Index
+    signal input index;
     // Poll State tree root which proves the user is joined
     signal input stateRoot;
     // The actual tree depth (might be <= stateTreeDepth) Used in BinaryMerkleRoot
@@ -35,7 +35,7 @@ template PollJoined(stateTreeDepth) {
     var calculatedRoot = BinaryMerkleRoot(stateTreeDepth)(
         stateLeaf,
         actualStateTreeDepth,
-        pathIndices,
+        index,
         pathElements
     );
 

package/circom/voter/PollJoining.circom

@@ -18,8 +18,8 @@ template PollJoining(stateTreeDepth) {
     signal input pollPublicKey[2];
     // Siblings
     signal input siblings[stateTreeDepth][STATE_TREE_ARITY - 1];
-    // Indices
-    signal input indices[stateTreeDepth];
+    // Index
+    signal input index;
     // User's hashed private key
     signal input nullifier;
     // MACI State tree root which proves the user is signed up
@@ -46,7 +46,7 @@ template PollJoining(stateTreeDepth) {
     var calculatedRoot = BinaryMerkleRoot(stateTreeDepth)(
         publicKeyHash,
         actualStateTreeDepth,
-        indices,
+        index,
         siblings
     );