@maci-protocol/circuits 0.0.0-ci.f4bc8a6 → 0.0.0-ci.f4e2c46

package/circom/utils/{verifySignature.circom → EdDSAPoseidonVerifier.circom}

@@ -8,60 +8,69 @@ include "./bitify.circom";
 include "./escalarmulany.circom";
 include "./escalarmulfix.circom";
 // local imports
-include "./hashers.circom";
+include "./PoseidonHasher.circom";
 
 /**
  * Variant of the EdDSAPoseidonVerifier template from circomlib
  * https://github.com/iden3/circomlib/blob/master/circuits/eddsa.circom
  */
-template EdDSAPoseidonVerifier_patched() {
+template EdDSAPoseidonVerifier() {
+    // The prime subgroup order.
+    var SUBGROUP_ORDER = 2736030358979909402780800718157159386076813972158567259200215660948447373041;
+
+    // The base point of the BabyJubJub curve.
+    var BASE8[2] = [
+        5299619240641551281634865583518297030282874472190772894086521144482721001553,
+        16950150798460657717958625567821834550301663161624707787222815936182638968203
+    ];
+
     // The x and y coordinates of the public key.
-    signal input Ax;
-    signal input Ay;
+    signal input publicKeyX;
+    signal input publicKeyY;
     // Signature scalar.
-    signal input S;
+    signal input signatureScalar;
     // The x and y coordinates of the signature point.
-    signal input R8x;
-    signal input R8y;
+    signal input signaturePointX;
+    signal input signaturePointY;
     // Message hash.
-    signal input M;
+    signal input messageHash;
+    // Output signal for the validity of the signature.
+    signal output isValid;
 
-    signal output valid;
-
-    // Ensure S<Subgroup Order.
-    // convert the signature scalar S into its binary representation.
-    var computedNum2Bits[254] = Num2Bits(254)(S);
+    // Ensure signatureScalar<Subgroup Order.
+    // convert the signature scalar signatureScalar into its binary representation.
+    var computedNum2Bits[254] = Num2Bits(254)(signatureScalar);
 
     var computedCompConstantIn[254] = computedNum2Bits;
     computedCompConstantIn[253] = 0;
 
-    // A component that ensures S is within a valid range, 
+    // A component that ensures signatureScalar is within a valid range, 
     // comparing it against a constant representing the subgroup order.
-    var computedCompConstant = CompConstant(2736030358979909402780800718157159386076813972158567259200215660948447373040)(computedCompConstantIn);
+    var computedCompConstant = CompConstant(SUBGROUP_ORDER - 1)(computedCompConstantIn);
 
-    // Calculate the h = H(R,A, msg).
-    var computedH2Bits[254] = Num2Bits_strict()(PoseidonHasher(5)([R8x, R8y, Ax, Ay, M]));
+    // Calculate the h = H(R, A, msg).
+    var computedH2Bits[254] = Num2Bits_strict()(PoseidonHasher(5)([
+      signaturePointX,
+      signaturePointY,
+      publicKeyX,
+      publicKeyY,
+      messageHash
+    ]));
 
     // These components perform point doubling operations on the public key
     // to align it within the correct subgroup as part of the verification process.
-    var (computedDbl1XOut, computedDbl1YOut) = BabyDbl()(Ax, Ay);
-    var (computedDbl2XOut, computedDbl2YOut) = BabyDbl()(computedDbl1XOut, computedDbl1YOut);
-    var (computedDbl3XOut, computedDbl3YOut) = BabyDbl()(computedDbl2XOut, computedDbl2YOut);
+    var (computedDouble1XOut, computedDouble1YOut) = BabyDbl()(publicKeyX, publicKeyY);
+    var (computedDouble2XOut, computedDouble2YOut) = BabyDbl()(computedDouble1XOut, computedDouble1YOut);
+    var (computedDouble3XOut, computedDouble3YOut) = BabyDbl()(computedDouble2XOut, computedDouble2YOut);
 
     // A component that performs scalar multiplication of the 
     // adjusted public key by the hash output, essential for the verification calculation.
-    var computedEscalarMulAny[2] = EscalarMulAny(254)(computedH2Bits, [computedDbl3XOut, computedDbl3YOut]);
+    var computedEscalarMulAny[2] = EscalarMulAny(254)(computedH2Bits, [computedDouble3XOut, computedDouble3YOut]);
 
     // Compute the right side: right =  R8 + right2.
-    var (computedAddRightXOut, computedAddRightYOut) = BabyAdd()(R8x, R8y, computedEscalarMulAny[0], computedEscalarMulAny[1]);
-
-    // Calculate the left side: left = S * B8.
-    var BASE8[2] = [
-        5299619240641551281634865583518297030282874472190772894086521144482721001553,
-        16950150798460657717958625567821834550301663161624707787222815936182638968203
-    ];
+    var (computedAddRightXOut, computedAddRightYOut) = BabyAdd()(signaturePointX, signaturePointY, computedEscalarMulAny[0], computedEscalarMulAny[1]);
     
-    // Fixed-base scalar multiplication of a base point by S.
+    // Fixed-base scalar multiplication of a base point by signatureScalar.
     var computedEscalarMulFix[2] = EscalarMulFix(254, BASE8)(computedNum2Bits);
 
     // Components to check the equality of x and y coordinates 
@@ -73,45 +82,10 @@ template EdDSAPoseidonVerifier_patched() {
     // Components to handle edge cases and ensure that all conditions 
     // for a valid signature are met, including the 
     // public key not being zero and other integrity checks.
-    var computedIsAxZero = IsZero()(Ax);
+    var computedIsAxZero = IsZero()(publicKeyX);
     var computedIsAxEqual = IsEqual()([computedIsAxZero, 0]);
     var computedIsCcZero = IsZero()(computedCompConstant);
     var computedIsValid = IsEqual()([computedIsLeftRightValid + computedIsAxEqual + computedIsCcZero, 3]);
 
-    valid <== computedIsValid;
-}
-
-/**
- * Verifies the EdDSA signature for a given command, which has exactly four elements in the hash preimage.
- */
-template VerifySignature() {
-    // Public key of the signer, consisting of two coordinates [x, y].
-    signal input pubKey[2];
-    // R8 point from the signature, consisting of two coordinates [x, y]. 
-    signal input R8[2];
-    // Scalar component of the signature.
-    signal input S;
-
-    // Number of elements in the hash preimage.
-    var k = 4;
-    
-    // The preimage data that was hashed, an array of four elements.
-    signal input preimage[k];
-
-    signal output valid;
-
-    // Hash the preimage using the Poseidon hashing function configured for four inputs.
-    var computedM = PoseidonHasher(4)(preimage);
-
-    // Instantiate the patched EdDSA Poseidon verifier with the necessary inputs.
-    var computedVerifier = EdDSAPoseidonVerifier_patched()(
-        pubKey[0],
-        pubKey[1],
-        S,
-        R8[0],
-        R8[1],
-        computedM
-    );
-
-    valid <== computedVerifier;
+    isValid <== computedIsValid;
 }

package/circom/utils/MessageHasher.circom

@@ -0,0 +1,57 @@
+pragma circom 2.0.0;
+
+include "./PoseidonHasher.circom";
+
+/**
+ * Hashes a MACI message and the public key used for message encryption. 
+ * This template processes 10 message inputs and a 2-element public key
+ * combining them using the Poseidon hash function. The hashing process involves two stages: 
+ * 1. hashing message parts data groups of five and,
+ * 2. hashing the grouped results alongside the first message input and 
+ * the encryption public key to produce a final hash output. 
+ */
+template MessageHasher() {
+    // Message parts
+    var MESSAGE_PARTS = 10;
+    var STATE_INDEX = 0;
+    var VOTE_OPTION_INDEX = 1;
+    var NEW_VOTE_WEIGHT = 2;
+    var NONCE = 3;
+    var POLL_ID = 4;
+    var SIGNATURE_POINT_X = 5;
+    var SIGNATURE_POINT_Y = 6;
+    var SIGNATURE_SCALAR = 7;
+    var ENCRYPTED_PUBLIC_KEY_X = 8;
+    var ENCRYPTED_PUBLIC_KEY_Y = 9;
+
+    // The MACI message is composed of 10 parts.
+    signal input data[MESSAGE_PARTS];
+    // the public key used to encrypt the message.
+    signal input encryptionPublicKey[2];
+
+    // we output an hash.
+    signal output hash;
+
+    var computedHasherPart1 = PoseidonHasher(5)([
+        data[STATE_INDEX],
+        data[VOTE_OPTION_INDEX],
+        data[NEW_VOTE_WEIGHT],
+        data[NONCE],
+        data[POLL_ID]
+    ]);
+
+    var computedHasherPart2 = PoseidonHasher(5)([
+        data[SIGNATURE_POINT_X],        
+        data[SIGNATURE_POINT_Y],
+        data[SIGNATURE_SCALAR],
+        data[ENCRYPTED_PUBLIC_KEY_X],
+        data[ENCRYPTED_PUBLIC_KEY_Y]
+    ]);
+
+    hash <== PoseidonHasher(4)([
+        computedHasherPart1,
+        computedHasherPart2,
+        encryptionPublicKey[0],
+        encryptionPublicKey[1]        
+    ]);
+}

package/circom/utils/MessageToCommand.circom

@@ -0,0 +1,107 @@
+pragma circom 2.0.0;
+
+// circomlib import
+include "./bitify.circom";
+// zk-kit imports
+include "./ecdh.circom";
+include "./unpack-element.circom";
+include "./poseidon-cipher.circom";
+
+/**
+ * Converts a MACI message to a command by decrypting it.
+ * Processes encrypted MACI messages into structured MACI commands 
+ * by decrypting using a shared key derived from ECDH. After decryption, 
+ * unpacks and assigns decrypted values to specific command components. 
+ */
+template MessageToCommand() {
+    var MESSAGE_LENGTH = 7;
+    var PACKED_COMMAND_LENGTH = 4;
+    var UNPACK_ELEMENT_LENGTH = 5;
+    var DECRYPTED_LENGTH = 9;
+    var MESSAGE_PARTS = 10;
+    
+    // Element indices.
+    var ELEMENT_POLL_ID = 0;
+    var ELEMENT_NONCE = 1;
+    var ELEMENT_NEW_VOTE_WEIGHT = 2;
+    var ELEMENT_VOTE_OPTION_INDEX = 3;
+    var ELEMENT_STATE_INDEX = 4;
+
+    // Command indices.
+    var COMMAND_STATE_INDEX = 0;
+    var COMMAND_PUBLIC_KEY_X = 1;
+    var COMMAND_PUBLIC_KEY_Y = 2;
+    var COMMAND_SALT = 3;
+
+    // Decryptor indices.
+    var SIGNATURE_POINT_X = 4;
+    var SIGNATURE_POINT_Y = 5;
+    var SIGNATURE_SCALAR = 6;
+
+    // The message is an array of 10 parts.
+    signal input message[MESSAGE_PARTS];
+    // The encryption private key
+    signal input encryptionPrivateKey;
+    // The encryption public key
+    signal input encryptionPublicKey[2];
+
+    // Command parts.
+    signal output stateIndex;
+    // The new public key.
+    signal output newPublicKey[2];
+    // The vote option index.
+    signal output voteOptionIndex;
+    // The new vote weight.
+    signal output newVoteWeight;
+    // The nonce.
+    signal output nonce;
+    // The poll id.
+    signal output pollId;
+    // The salt.
+    signal output salt;
+    // The signature point.
+    signal output signaturePoint[2];
+    // The signature scalar.
+    signal output signatureScalar;
+
+    // Packed command. 
+    signal output packedCommandOut[PACKED_COMMAND_LENGTH];
+
+    // Generate the shared key for decrypting the message.
+    var computedEcdh[2] = Ecdh()(encryptionPrivateKey, encryptionPublicKey);
+
+    // Decrypt the message using Poseidon decryption.
+    var computedDecryptor[DECRYPTED_LENGTH] = PoseidonDecryptWithoutCheck(MESSAGE_LENGTH)(
+        message,
+        0, 
+        computedEcdh
+    );
+
+    // Save the decrypted message into a packed command signal.
+    signal packedCommand[PACKED_COMMAND_LENGTH];
+
+    for (var i = 0; i < PACKED_COMMAND_LENGTH; i++) {
+        packedCommand[i] <== computedDecryptor[i];
+    }
+
+    var computedUnpackElement[UNPACK_ELEMENT_LENGTH] = UnpackElement(UNPACK_ELEMENT_LENGTH)(
+        packedCommand[COMMAND_STATE_INDEX]
+    );
+
+    // Everything below were packed into the first element.
+    pollId <== computedUnpackElement[ELEMENT_POLL_ID];
+    nonce <== computedUnpackElement[ELEMENT_NONCE];
+    newVoteWeight <== computedUnpackElement[ELEMENT_NEW_VOTE_WEIGHT];
+    voteOptionIndex <== computedUnpackElement[ELEMENT_VOTE_OPTION_INDEX];
+    stateIndex <== computedUnpackElement[ELEMENT_STATE_INDEX];
+
+    newPublicKey[0] <== packedCommand[COMMAND_PUBLIC_KEY_X];
+    newPublicKey[1] <== packedCommand[COMMAND_PUBLIC_KEY_Y];
+    salt <== packedCommand[COMMAND_SALT];
+
+    signaturePoint[0] <== computedDecryptor[SIGNATURE_POINT_X];
+    signaturePoint[1] <== computedDecryptor[SIGNATURE_POINT_Y];
+    signatureScalar <== computedDecryptor[SIGNATURE_SCALAR];
+
+    packedCommandOut <== packedCommand;
+}

package/circom/utils/PoseidonHasher.circom

@@ -0,0 +1,29 @@
+pragma circom 2.0.0;
+
+// zk-kit imports
+include "./poseidon-cipher.circom";
+
+/**
+ * Computes the Poseidon hash for an array of n inputs, including a default initial state 
+ * of zero not counted in n. First, extends the inputs by prepending a zero, creating an array [0, inputs]. 
+ * Then, the Poseidon hash of the extended inputs is calculated, with the first element of the 
+ * result assigned as the output. 
+ */
+template PoseidonHasher(n) {
+    signal input inputs[n];
+    signal output out;
+
+    // [0, inputs].
+    var computedExtendedInputs[n + 1];
+    computedExtendedInputs[0] = 0;
+
+    for (var i = 0; i < n; i++) {
+        computedExtendedInputs[i + 1] = inputs[i];
+    }
+
+    // Compute the Poseidon hash of the extended inputs.
+    var computedPoseidonPerm[n + 1]; 
+    computedPoseidonPerm = PoseidonPerm(n + 1)(computedExtendedInputs);
+
+    out <== computedPoseidonPerm[0];
+}

package/circom/utils/{privToPubKey.circom → PrivateToPublicKey.circom}

@@ -9,28 +9,30 @@ include "./escalarmulfix.circom";
  * Converts a private key to a public key on the BabyJubJub curve.
  * The input private key needs to be hashed and then pruned before.
  */
-template PrivToPubKey() {
+template PrivateToPublicKey() {
     // The base point of the BabyJubJub curve.
     var BASE8[2] = [
         5299619240641551281634865583518297030282874472190772894086521144482721001553,
         16950150798460657717958625567821834550301663161624707787222815936182638968203
     ];
 
-    // Prime subgroup order 'l'.
-    var l = 2736030358979909402780800718157159386076813972158567259200215660948447373041;
+    // The prime subgroup order.
+    var SUBGROUP_ORDER = 2736030358979909402780800718157159386076813972158567259200215660948447373041;
 
-    signal input privKey;
-    signal output pubKey[2];
+    // The private key
+    signal input privateKey;
+    // The public key
+    signal output publicKey[2];
 
-    // Check if private key is in the prime subgroup order 'l'
-    var isLessThan = LessThan(251)([privKey, l]);
+    // Check if private key is in the prime subgroup order
+    var isLessThan = LessThan(251)([privateKey, SUBGROUP_ORDER]);
     isLessThan === 1;
 
     // Convert the private key to bits.
-    var computedPrivBits[253] = Num2Bits(253)(privKey);
+    var computedPrivateBits[253] = Num2Bits(253)(privateKey);
 
     // Perform scalar multiplication with the basepoint.
-    var computedEscalarMulFix[2] = EscalarMulFix(253, BASE8)(computedPrivBits);
+    var computedPublicKey[2] = EscalarMulFix(253, BASE8)(computedPrivateBits);
 
-    pubKey <== computedEscalarMulFix;
+    publicKey <== computedPublicKey;
 }

package/circom/utils/VerifySignature.circom

@@ -0,0 +1,39 @@
+pragma circom 2.0.0;
+
+// local imports
+include "./EdDSAPoseidonVerifier.circom";
+include "./PoseidonHasher.circom";
+
+/**
+ * Verifies the EdDSA signature for a given command, which has exactly four elements in the hash preimage.
+ */
+template VerifySignature() {
+    // Number of elements in the hash preimage.
+    var PRE_IMAGE_LENGTH = 4;
+
+    // Public key of the signer, consisting of two coordinates [x, y].
+    signal input publicKey[2];
+    // signaturePoint point from the signature, consisting of two coordinates [x, y]. 
+    signal input signaturePoint[2];
+    // Scalar component of the signature.
+    signal input signatureScalar;
+    // The preimage data that was hashed, an array of four elements.
+    signal input preimage[PRE_IMAGE_LENGTH];
+    // The validity of the signature.
+    signal output isValid;
+
+    // Hash the preimage using the Poseidon hashing function configured for four inputs.
+    var computedPreimage = PoseidonHasher(4)(preimage);
+
+    // Instantiate the patched EdDSA Poseidon verifier with the necessary inputs.
+    var computedIsValid = EdDSAPoseidonVerifier()(
+        publicKey[0],
+        publicKey[1],
+        signatureScalar,
+        signaturePoint[0],
+        signaturePoint[1],
+        computedPreimage
+    );
+
+    isValid <== computedIsValid;
+}

package/circom/utils/full/MessageValidator.circom

@@ -0,0 +1,91 @@
+pragma circom 2.0.0;
+
+// zk-kit imports
+include "./safe-comparators.circom";
+// local imports
+include "../VerifySignature.circom";
+
+/**
+ * Checks if a MACI message is valid or not.
+ * This template supports the full mode (all credits are spent on one option)
+ */
+template MessageValidatorFull() {
+    // Length of the packed command.
+    var PACKED_COMMAND_LENGTH = 4;
+    // Number of checks to be performed.
+    var TOTAL_CHECKS = 5;
+
+    // State index of the user.
+    signal input stateTreeIndex;
+    // Number of user sign-ups in the state tree.
+    signal input totalSignups;
+    // Vote option index.
+    signal input voteOptionIndex;
+    // Number of valid vote options for the poll.
+    signal input voteOptions;
+    // Ballot nonce.
+    signal input originalNonce;
+    // Command nonce.
+    signal input commandNonce;
+    // Packed command.
+    signal input command[PACKED_COMMAND_LENGTH];
+    // Public key of the state leaf (user).
+    signal input publicKey[2];
+    // EdDSA signature of the command (R part).
+    signal input signaturePoint[2];
+    // EdDSA signature of the command (S part).
+    signal input signatureScalar;
+    // State leaf current voice credit balance.
+    signal input currentVoiceCreditBalance;
+    // Current number of votes for specific option. 
+    signal input currentVotesForOption;
+    // Vote weight.
+    signal input voteWeight;
+
+    // True when the command is valid; otherwise false.
+    signal output isValid;
+    // True if the state leaf index is valid
+    signal output isStateLeafIndexValid;
+    // True if the vote option index is valid
+    signal output isVoteOptionIndexValid;
+
+    // Check (1) - The state leaf index must be valid.
+    // The check ensure that the stateTreeIndex < totalSignups as first validation.
+    // Must be < because the stateTreeIndex is 0-based. Zero is for blank state leaf
+    // while 1 is for the first actual user.
+    var computedIsStateLeafIndexValid = SafeLessThan(252)([stateTreeIndex, totalSignups]);
+
+    // Check (2) - The vote option index must be less than the number of valid vote options (0 indexed).
+    var computedIsVoteOptionIndexValid = SafeLessThan(252)([voteOptionIndex, voteOptions]);
+
+    // Check (3) - The nonce must be correct.    
+    var computedIsNonceValid = IsEqual()([originalNonce + 1, commandNonce]);
+
+    // Check (4) - The signature must be correct.    
+    var computedIsSignatureValid = VerifySignature()(publicKey, signaturePoint, signatureScalar, command);
+ 
+    // Check (5) - There must be sufficient voice credits.
+    // The check ensure that currentVotesForOption + currentVoiceCreditBalance is equal to voteWeight.
+    var computedAreVoiceCreditsSpent = IsEqual()(
+        [
+            currentVotesForOption + currentVoiceCreditBalance,
+            voteWeight
+        ]
+    );
+
+    // When all five checks are correct, then isValid = 1.
+    var computedIsUpdateValid = IsEqual()(
+        [
+            TOTAL_CHECKS,
+            computedIsSignatureValid + 
+            computedAreVoiceCreditsSpent +
+            computedIsNonceValid +
+            computedIsStateLeafIndexValid +
+            computedIsVoteOptionIndexValid
+        ]
+    );
+
+    isValid <== computedIsUpdateValid;
+    isStateLeafIndexValid <== computedIsStateLeafIndexValid;
+    isVoteOptionIndexValid <== computedIsVoteOptionIndexValid;
+}

package/circom/utils/full/StateLeafAndBallotTransformer.circom

@@ -0,0 +1,122 @@
+pragma circom 2.0.0;
+
+// circomlib import
+include "./mux1.circom";
+// local import
+include "./MessageValidator.circom";
+
+/**
+ * Processes a command by verifying its validity and updates the state leaf and ballot accordingly. 
+ * If the message is correct, updates the public key in the state leaf and the nonce 
+ * in the ballot using multiplexer components.
+ * This template supports the full mode (all credits are spent on one option)
+ */
+template StateLeafAndBallotTransformerFull() {
+    // Length of the packed command.
+    var PACKED_COMMAND_LENGTH = 4;
+
+    // Number of user sign-ups in the state tree.
+    signal input totalSignups;
+    // Number of valid vote options for the poll.
+    signal input voteOptions;
+
+    // The following signals represents a state leaf (signed up user).
+    // Public key.
+    signal input stateLeafPublicKey[2];
+    // Current voice credit balance.
+    signal input stateLeafVoiceCreditBalance;
+
+    // The following signals represents a ballot.
+    // Nonce.
+    signal input ballotNonce;
+    // Current number of votes for specific option. 
+    signal input ballotCurrentVotesForOption;
+
+    // The following signals represents a command.
+    // State index of the user.
+    signal input commandStateIndex;
+    // Public key of the user.
+    signal input commandPublicKey[2];
+    // Vote option index.
+    signal input commandVoteOptionIndex;
+    // Vote weight.
+    signal input commandNewVoteWeight;
+    // Nonce.
+    signal input commandNonce;
+    // Poll identifier.
+    signal input commandPollId;
+    // Salt.
+    signal input commandSalt;
+    // EdDSA signature of the command (R part).
+    signal input commandSignaturePoint[2];
+    // EdDSA signature of the command (S part).
+    signal input commandSignatureScalar;
+    // Packed command. 
+    // nb. we are assuming that the packedCommand is always valid.
+    signal input packedCommand[PACKED_COMMAND_LENGTH];
+
+    // New state leaf (if the command is valid).
+    signal output newStateLeafPublicKey[2];
+    // New ballot (if the command is valid).
+    signal output newBallotNonce;
+    
+    // True when the command is valid; otherwise false.
+    signal output isValid;
+    // True if the state leaf index is valid
+    signal output isStateLeafIndexValid;
+    // True if the vote option index is valid
+    signal output isVoteOptionIndexValid;
+
+    // Check if the command / message is valid.
+    var (
+        computedIsValid,
+        computedIsStateLeafIndexValid,
+        computedIsVoteOptionIndexValid
+    ) = MessageValidatorFull()(
+        commandStateIndex,
+        totalSignups,
+        commandVoteOptionIndex,
+        voteOptions,
+        ballotNonce,
+        commandNonce,
+        packedCommand,
+        stateLeafPublicKey,
+        commandSignaturePoint,
+        commandSignatureScalar,
+        stateLeafVoiceCreditBalance,
+        ballotCurrentVotesForOption,
+        commandNewVoteWeight
+    );
+
+    // If the message is valid then we swap out the public key.
+    // This means using a Mux1() for publicKey[0] and another one
+    // for publicKey[1].
+    var computedNewstateLeafPublicKey0Mux = Mux1()(
+        [
+            stateLeafPublicKey[0],
+            commandPublicKey[0]
+        ],
+        computedIsValid
+    );
+
+    var computedNewstateLeafPublicKey1Mux = Mux1()(
+        [
+            stateLeafPublicKey[1],
+            commandPublicKey[1]
+        ],
+        computedIsValid
+    );
+
+    newStateLeafPublicKey[0] <== computedNewstateLeafPublicKey0Mux;
+    newStateLeafPublicKey[1] <== computedNewstateLeafPublicKey1Mux;
+
+    // If the message is valid, then we swap out the ballot nonce
+    // using a Mux1().
+    var computedNewBallotNonceMux = Mux1()([ballotNonce, commandNonce], computedIsValid);
+
+    newBallotNonce <== computedNewBallotNonceMux;
+
+    isValid <== computedIsValid;
+    isStateLeafIndexValid <== computedIsStateLeafIndexValid;
+    isVoteOptionIndexValid <== computedIsVoteOptionIndexValid;
+}