Add maxChoices to VoteCast circuit — enforce choice < poll size

The circuit now constrains voteChoice < maxChoices via a public input.
A poll with 3 choices rejects choice=200 at the proof level, not just
server-side validation. The constraint uses subtraction + ToBinary to
prove (maxChoices - choice - 1) is non-negative.

Public inputs are now: pollId, voterRegistryRoot, nullifier,
voteCommitment, maxChoices. On-chain contract stores maxChoices
in the constructor and passes it to the verifier.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: stackdump

internal/server/server.go

@@ -599,7 +599,7 @@ var circuitDescriptions = map[string]struct {
 	"burn":         {"ERC-20 burn: proves balance >= amount", []string{"preStateRoot", "postStateRoot", "from", "amount"}},
 	"approve":      {"ERC-20 approve: proves owner == caller", []string{"preStateRoot", "postStateRoot", "caller", "spender", "amount"}},
 	"vestClaim":    {"Vesting claim: proves ownership and available amount", []string{"preStateRoot", "postStateRoot", "tokenID", "caller", "claimAmount"}},
-	"voteCast":     {"ZK vote: proves voter eligibility and valid choice without revealing identity or choice", []string{"pollId", "voterRegistryRoot", "nullifier", "voteCommitment"}},
+	"voteCast":     {"ZK vote: proves voter eligibility and valid choice without revealing identity or choice", []string{"pollId", "voterRegistryRoot", "nullifier", "voteCommitment", "maxChoices"}},
 }
 
 // handleCircuits lists available ZK circuits.
@@ -740,7 +740,7 @@ func (s *Server) handleBundle(w http.ResponseWriter, r *http.Request) {
 
 	genesisConfig := solidity.GenesisConfig{}
 	if strings.HasPrefix(schema.Version, "Vote:") {
-		genesisConfig.ConstructorArgs = "0 /* voterRegistryRoot */, address(0) /* verifier — deploy Verifier.sol first */"
+		genesisConfig.ConstructorArgs = "0 /* voterRegistryRoot */, 10 /* maxChoices */, address(0) /* verifier — deploy Verifier.sol first */"
 	}
 	deployCode := solidity.GenerateGenesis(schema.Name, genesisConfig, solidity.DefaultAddresses())
 

prover/circuits.go

@@ -287,19 +287,19 @@ func (c *VestingClaimCircuit) Define(api frontend.API) error {
 }
 
 // VoteCastCircuit proves: "I am an eligible voter and my vote is valid" without revealing identity or choice.
-// Public inputs: pollId, voterRegistryRoot, nullifier, voteCommitment
+// Public inputs: pollId, voterRegistryRoot, nullifier, voteCommitment, maxChoices
 // Private inputs: voterSecret, voteChoice, voterWeight, pathElements[20], pathIndices[20]
 //
 // The voteCommitment = mimcHash(voterSecret, voteChoice) binds the choice to the voter's secret.
 // Since voterSecret is private and unknown to observers, the commitment cannot be brute-forced
-// even though voteChoice is only 8 bits. Tallying requires the voter to reveal their choice
-// after the poll closes.
+// even though voteChoice is only 8 bits.
 type VoteCastCircuit struct {
 	// Public inputs
 	PollID             frontend.Variable `gnark:",public"`
 	VoterRegistryRoot  frontend.Variable `gnark:",public"`
 	Nullifier          frontend.Variable `gnark:",public"`
 	VoteCommitment     frontend.Variable `gnark:",public"`
+	MaxChoices         frontend.Variable `gnark:",public"`
 
 	// Private inputs
 	VoterSecret  frontend.Variable
@@ -329,8 +329,11 @@ func (c *VoteCastCircuit) Define(api frontend.API) error {
 	expectedNullifier := mimcHash(api, c.VoterSecret, c.PollID)
 	api.AssertIsEqual(c.Nullifier, expectedNullifier)
 
-	// 4. Vote range: proves choice fits in 8 bits (up to 256 options)
+	// 4. Vote range: choice fits in 8 bits AND choice < maxChoices
 	api.ToBinary(c.VoteChoice, 8)
+	diff := api.Sub(c.MaxChoices, c.VoteChoice)   // maxChoices - choice
+	diffMinusOne := api.Sub(diff, 1)               // must be >= 0 (i.e., choice <= maxChoices-1)
+	api.ToBinary(diffMinusOne, 8)                   // proves non-negative
 
 	// 5. Vote commitment: binds choice to voter secret (blinded — can't brute-force)
 	expectedCommitment := mimcHash(api, c.VoterSecret, c.VoteChoice)

prover/service.go

@@ -239,6 +239,9 @@ func (f *ArcnetWitnessFactory) CreateAssignment(circuitName string, witness map[
 		if assignment.VoteCommitment, err = goprover.ParseWitnessField(witness, "voteCommitment"); err != nil {
 			return nil, err
 		}
+		if assignment.MaxChoices, err = goprover.ParseWitnessField(witness, "maxChoices"); err != nil {
+			return nil, err
+		}
 		if assignment.VoterSecret, err = goprover.ParseWitnessField(witness, "voterSecret"); err != nil {
 			return nil, err
 		}

prover/verify.go

@@ -84,8 +84,8 @@ func VerifyVoteCastWitness(p *Prover, witnessData map[string]string) error {
 // ValidateVoteCastPublicInputs checks that a voteCast proof's public inputs
 // match the expected poll parameters.
 func ValidateVoteCastPublicInputs(publicInputs []string, expectedPollID, expectedRegistryRoot string) error {
-	if len(publicInputs) < 4 {
-		return fmt.Errorf("voteCast requires 4 public inputs (pollId, registryRoot, nullifier, voteCommitment), got %d", len(publicInputs))
+	if len(publicInputs) < 5 {
+		return fmt.Errorf("voteCast requires 5 public inputs (pollId, registryRoot, nullifier, voteCommitment, maxChoices), got %d", len(publicInputs))
 	}
 
 	// Public inputs order matches circuit definition: PollID, VoterRegistryRoot, Nullifier, VoteCommitment
@@ -109,14 +109,15 @@ func buildPublicWitness(circuitName string, publicInputs []string) (witness.Witn
 	// Create a circuit assignment with only the public fields set
 	switch circuitName {
 	case "voteCast":
-		if len(publicInputs) < 4 {
-			return nil, fmt.Errorf("voteCast requires 4 public inputs, got %d", len(publicInputs))
+		if len(publicInputs) < 5 {
+			return nil, fmt.Errorf("voteCast requires 5 public inputs, got %d", len(publicInputs))
 		}
 		assignment := &VoteCastCircuit{
 			PollID:            parseBigIntOrZero(publicInputs[0]),
 			VoterRegistryRoot: parseBigIntOrZero(publicInputs[1]),
 			Nullifier:         parseBigIntOrZero(publicInputs[2]),
 			VoteCommitment:    parseBigIntOrZero(publicInputs[3]),
+			MaxChoices:        parseBigIntOrZero(publicInputs[4]),
 		}
 		w, err := frontend.NewWitness(assignment, ecc.BN254.ScalarField(), frontend.PublicOnly())
 		if err != nil {

public/bitwrap.js

@@ -261,7 +261,7 @@ function collectWitness(circuitName) {
         const leaf = mimcHash(voterSecret, voterWeight);
         const tree = MerkleTree.fromLeaves([leaf], 20);
 
-        return buildVoteCastWitness({ tree, voterIdx: 0, pollId, voterSecret, voteChoice, voterWeight });
+        return buildVoteCastWitness({ tree, voterIdx: 0, pollId, voterSecret, voteChoice, voterWeight, maxChoices: 256n });
     }
     default:
         alert(`No witness builder for circuit: ${circuitName}`);

public/poll.js

@@ -6,6 +6,7 @@ import { buildVoteCastWitness } from './witness-builder.js';
 
 // Current poll context
 window.currentPollId = null;
+let currentPollData = null; // cached poll data from loadPoll
 let selectedChoice = null;
 
 // ============ Navigation ============
@@ -174,6 +175,7 @@ async function loadPoll(pollId) {
         if (!resp.ok) throw new Error('Poll not found');
         const data = await resp.json();
         const poll = data.poll;
+        currentPollData = poll;
 
         document.getElementById('vote-title').textContent = poll.title;
         document.getElementById('vote-desc').textContent = poll.description || '';
@@ -273,8 +275,9 @@ window.castVote = async function() {
         const leaf = mimcHash(voterSecret, voterWeight);
         const tree = MerkleTree.fromLeaves([leaf], 20);
 
+        const maxChoices = BigInt(currentPollData ? currentPollData.choices.length : 256);
         const witnessResult = buildVoteCastWitness({
-            tree, voterIdx: 0, pollId, voterSecret, voteChoice, voterWeight
+            tree, voterIdx: 0, pollId, voterSecret, voteChoice, voterWeight, maxChoices
         });
 
         btn.innerHTML = '<span class="spinner"></span>Generating proof...';
@@ -317,6 +320,7 @@ window.castVote = async function() {
                     witnessResult.witness.voterRegistryRoot,
                     witnessResult.witness.nullifier,
                     witnessResult.witness.voteCommitment,
+                    witnessResult.witness.maxChoices,
                 ],
             })
         });

public/witness-builder.js

@@ -192,11 +192,12 @@ export function buildTransferFromWitness({
 // voterSecret: voter's secret derived from wallet signature (BigInt)
 // voteChoice: the choice index (BigInt, 0-255)
 // voterWeight: voter's weight in the registry (BigInt)
-export function buildVoteCastWitness({ tree, voterIdx, pollId, voterSecret, voteChoice, voterWeight }) {
+export function buildVoteCastWitness({ tree, voterIdx, pollId, voterSecret, voteChoice, voterWeight, maxChoices }) {
   pollId = BigInt(pollId);
   voterSecret = BigInt(voterSecret);
   voteChoice = BigInt(voteChoice);
   voterWeight = BigInt(voterWeight);
+  maxChoices = BigInt(maxChoices || 256);
 
   // Voter registry root from Merkle tree
   const voterRegistryRoot = tree.root;
@@ -215,6 +216,7 @@ export function buildVoteCastWitness({ tree, voterIdx, pollId, voterSecret, vote
       voterRegistryRoot: fieldStr(voterRegistryRoot),
       nullifier: fieldStr(nullifier),
       voteCommitment: fieldStr(voteCommitment),
+      maxChoices: fieldStr(maxChoices),
       voterSecret: fieldStr(voterSecret),
       voteChoice: fieldStr(voteChoice),
       voterWeight: fieldStr(voterWeight),

solidity/codegen.go

@@ -34,7 +34,7 @@ func (g *generator) generate() string {
 		b.WriteString("        uint256[2] calldata _pA,\n")
 		b.WriteString("        uint256[2][2] calldata _pB,\n")
 		b.WriteString("        uint256[2] calldata _pC,\n")
-		b.WriteString("        uint256[4] calldata _pubSignals\n")
+		b.WriteString("        uint256[5] calldata _pubSignals\n")
 		b.WriteString("    ) external view returns (bool);\n")
 		b.WriteString("}\n\n")
 	}
@@ -135,9 +135,10 @@ func (g *generator) generateConstructor() string {
 	b.WriteString("    // ============ Constructor ============\n\n")
 
 	if g.isVoteSchema() {
-		b.WriteString("    constructor(uint256 _voterRegistryRoot, address _verifier) {\n")
+		b.WriteString("    constructor(uint256 _voterRegistryRoot, uint256 _maxChoices, address _verifier) {\n")
 		b.WriteString("        contractOwner = msg.sender;\n")
 		b.WriteString("        voterRegistryRoot = _voterRegistryRoot;\n")
+		b.WriteString("        maxChoices = _maxChoices;\n")
 		b.WriteString("        verifier = IVerifier(_verifier);\n")
 		b.WriteString("        emit OwnershipTransferred(address(0), msg.sender);\n")
 		b.WriteString("    }\n\n")
@@ -177,12 +178,13 @@ func (g *generator) generateVoteCastFunction() string {
 	b.WriteString("        require(pollConfig == 1, \"poll not active\");\n")
 	b.WriteString("        require(!nullifiers[_nullifier], \"already voted\");\n")
 	b.WriteString("\n")
-	b.WriteString("        // Verify ZK proof: public inputs are [pollId, voterRegistryRoot, nullifier, voteCommitment]\n")
-	b.WriteString("        uint256[4] memory pubSignals;\n")
+	b.WriteString("        // Verify ZK proof: public inputs are [pollId, voterRegistryRoot, nullifier, voteCommitment, maxChoices]\n")
+	b.WriteString("        uint256[5] memory pubSignals;\n")
 	b.WriteString("        pubSignals[0] = _pollId;\n")
 	b.WriteString("        pubSignals[1] = voterRegistryRoot;\n")
 	b.WriteString("        pubSignals[2] = _nullifier;\n")
 	b.WriteString("        pubSignals[3] = _voteCommitment;\n")
+	b.WriteString("        pubSignals[4] = maxChoices;\n")
 	b.WriteString("        require(\n")
 	b.WriteString("            verifier.verifyProof(_pA, _pB, _pC, pubSignals),\n")
 	b.WriteString("            \"invalid ZK proof\"\n")
@@ -284,6 +286,7 @@ func (g *generator) generateStateVariables() string {
 	if g.isVoteSchema() {
 		b.WriteString("\n    // ZK Voter Registry and Verifier\n")
 		b.WriteString("    uint256 public voterRegistryRoot;\n")
+		b.WriteString("    uint256 public maxChoices;\n")
 		b.WriteString("    IVerifier public verifier;\n")
 		b.WriteString("    mapping(uint256 => uint256) public voteCommitments; // nullifier => blinded vote commitment\n")
 	}
@@ -337,6 +340,12 @@ func (g *generator) generateEvents() string {
 	b.WriteString("    // ============ Events ============\n\n")
 
 	for _, action := range g.schema.Actions {
+		// Vote-specific: castVote event matches the hand-written function emit
+		if g.isVoteSchema() && action.ID == "castVote" {
+			b.WriteString("    event CastVote(uint256 epoch, uint256 seq, uint256 indexed nullifier, uint256 voteCommitment);\n")
+			continue
+		}
+
 		params := g.inferEventParams(action)
 		// Add epoch and seq to all events for debugging
 		if params != "" {

solidity/testgen.go

@@ -38,7 +38,7 @@ func (g *testGenerator) generate() string {
 		b.WriteString("\n    function setUp() public {\n")
 		b.WriteString("        // Deploy a mock verifier that always returns true\n")
 		b.WriteString("        address mockVerifier = address(new MockVerifier());\n")
-		b.WriteString(fmt.Sprintf("        token = new %s(0, mockVerifier);\n", contractName))
+		b.WriteString(fmt.Sprintf("        token = new %s(0, 10, mockVerifier);\n", contractName))
 		b.WriteString("    }\n\n")
 	} else {
 		b.WriteString("    function setUp() public {\n")
@@ -63,7 +63,7 @@ func (g *testGenerator) generate() string {
 		b.WriteString("        uint256[2] calldata,\n")
 		b.WriteString("        uint256[2][2] calldata,\n")
 		b.WriteString("        uint256[2] calldata,\n")
-		b.WriteString("        uint256[4] calldata\n")
+		b.WriteString("        uint256[5] calldata\n")
 		b.WriteString("    ) external pure returns (bool) {\n")
 		b.WriteString("        return true;\n")
 		b.WriteString("    }\n")
@@ -232,7 +232,7 @@ func (g *testGenerator) generateInvariantTests(contractName string) string {
 
 	b.WriteString("    function setUp() public {\n")
 	if strings.HasPrefix(g.schema.Version, "Vote:") {
-		b.WriteString(fmt.Sprintf("        token = new %s(0, address(new MockVerifier()));\n", contractName))
+		b.WriteString(fmt.Sprintf("        token = new %s(0, 10, address(new MockVerifier()));\n", contractName))
 	} else {
 		b.WriteString(fmt.Sprintf("        token = new %s();\n", contractName))
 	}