[ZIP TBD] Shielded Voting Protocol

[p0mvn]

Summary

This PR introduces Shielded Voting Protocol — a complete specification for stake-weighted governance voting over the Zcash Orchard shielded pool. Holders prove their ZEC balance via the Orchard Proof-of-Balance and cast votes without revealing their identity, individual balances, or vote allocations.

This is the core governance ZIP in the approved ZIP breakdown, building on two previously submitted ZIPs:

• Orchard Balance Proof — the foundational primitive for proving note ownership without revealing standard nullifiers
• Nullifier PIR — private retrieval of exclusion proofs used during delegation

Protocol at a glance

The protocol proceeds in five phases:

1. Delegation — A holder proves ownership of unspent Orchard notes at a pool snapshot and delegates voting power to an unlinkable governance hotkey, producing a Vote Authority Note (VAN) on a purpose-built vote chain.
2. Voting — The hotkey consumes a VAN and produces a Vote Commitment containing 16 El Gamal-encrypted shares of the voter's ballot count, split across vote options.
3. Share submission — The voter sends each encrypted share to one or more untrusted submission servers.
4. Share reveal — Each server constructs a Vote Reveal Proof (proving the share belongs to a valid VC without revealing which one) and submits it at a randomized delay.
5. Tally — Validators holding Shamir shares of the election authority key cooperate to produce partial decryptions; results are combined via Lagrange interpolation and publicly verified.

Key privacy properties

• Unlinkable delegation — Governance nullifiers cannot be linked to standard Orchard nullifiers without knowledge of nk
• Balance hiding via vote splitting — Ballot count decomposed into 16 independently submitted El Gamal-encrypted shares
• Individual amounts hidden — Only aggregate totals per (proposal, decision) pair are ever decrypted
• Vote commitment unlinkability — Blinded per-share commitments prevent linking revealed shares back to a specific VC

Test plan

• Renders correctly via make draft-valargroup-shielded-voting.html
• make linkcheck passes for cross-references to Balance Proof, Nullifier PIR, and EA Key Ceremony ZIPs
• Math notation renders correctly (KaTeX) — especially El Gamal equations, Poseidon hashes, and bitmask operations
• All sections follow ZIP structure standards (Terminology → Abstract → Motivation → Privacy Implications → Requirements → Specification → Rationale → Deployment → References)
• BCP 14 keywords appear only in Specification section
• No conformance requirements outside Specification
• References are all single-line with correct anchors