Small Grants: ZK (Private) Voting for Nouns DAO

Social voting is inarguably one of the main problems affecting Nouns DAO. It compromises efficient use of the Treasury in proliferating the ⌐◨-◨ meme.

Nouners many times aren’t necessarily voting for what they believe is best. Instead, they feel trapped into quid pro quo voting, afraid that their vote could reflect poorly on their image, and/or affect the likelihood of getting their own prop through when the time comes. Conversely, it occurs that Nouners vote in favor or against a proposal based on how the proposer voted for their past props.

This dynamic is irrefutably not in the best interest of the DAO.

Evidence of this is that 85% (147/173) of on-chain props that have made it to either the Passed or Defeated state have passed. The great majority of those that passed didn’t require going back to the drawing board to optimize things like distribution, value back to the DAO, and price. Some argue that props that have support are the ones that make it on-chain, but reality is that in most cases the real discussion starts when it’s submitted on-chain.

I propose the DAO initiates R&D towards being the first to employ zK-SNARKs to attain Private Voting. Private Voting would allow Nouners or delegates to vote, the vote would be tallied trustlessly on-chain, but it would be impossible to determine if the Noun voted ‘yes’ or ‘no’. Even after the vote concluded.

I am passionate about this issue for two reasons:

  1. It will ensure that the DAO only passes props where every Nouner expressed their honest opinion. This will inevitably work in favor of efficient use of the Treasury and will compel proposers to do a better job in explaining how their prop proliferates the meme efficiently. Proposers will be careful in pricing their prop as it will receive more scrutiny, which should extend the DAO’s runway.

  2. zK-SNARKs are a fairly new technology that hasn’t been exploited to its full potential, and ZK Voting is mostly an unexplored problem space. In implementing Private Voting Nouns DAO will be the first DAO to do so; which will surely cement ZK Voting as Nounish.

I propose starting with a NSFW round to get some proof of concepts running. Then evolve to an on-chain prop to develop the full implementation.

My Nouns Story

I’m known as DigitalOil. I’ve been in the crypto space since 2014. This tweet pretty much reflects my evolution:

Unfortunately, although I heard of Nouns near its genesis, I didn’t pay too much attention to it. In June 2022 I bumped into Nouns again and to get my feet wet I bought some LilNouns. It wasn’t until later this year that I started thinking about DAOs more deeply and was reminded of Nouns.

This time, I did a deep-dive and this is what came out:

Then, I bought a couple Nouns. And then I deep-dove into subDAOs (LilNouns mechanics):

And I did an analysis of Nouns Prop history here:

I recently submitted a prop that uses Chainlink VRF randomness to distribute some of the Nouns Vision Glasses in the Nouns Treasury.

And now, I’d like to focus on Private Voting.

Background (zK-SNARKs)

Zero-knowledge proofs have been around since the 1980s, but it wasn’t until the early 2010s that zK-SNARKs were invented, as until that time there was a way to construct proofs but they required multiple interactions between prover and verifier which is impractical for most applications.

SNARKs are non-interactive and succint by definition; so a perfect fit for blockchains. SNARKs enabled the first cryptocurrency application of zero knowledge proofs with Zcash, a blockchain that allows for P2P private payments.

This is roughly the way zK-SNARKs would work for voting in a DAO on Ethereum:

  1. Lay out the conditions that need to be satisfied (in our case, conditions like):
    1. signer owns or has been delegated a Noun
    2. voting either 0 or 1
    3. can only vote once
  2. Convert the conditions into one or more QAPs (quadratic arithmetic programs). That is, write a program that is compatible with the way zk-SNARKs are composed.
  3. Convert the QAPs into polynomials that enforce the desired conditions.
  4. Very roughly — prover (voter) evaluates polynomials in such a way that reflects their vote.
  5. Submits the proof of evaluation and some other parameters to the vote-tallying smart contract.
  6. Contract verifies the proof and accepts it.
  7. When voting is finished, contract tallies the vote total and determines if the prop passed or not.

Some of the difficulties are:

  1. This hasn’t been done before with the specifications needed for a DAO on Ethereum. State of the art on the subject of ZK voting was published this year. I had a meeting with Dr. Muhammad ElSheikh, author of the paper and it’s likely I would bring him on board in the implementation phase.
  2. Setting conditions up such that not every token holder or registered voter is required to show up to vote.
  3. Not requiring excessive preparation ceremonies for each vote.
  4. Ensuring that the proof is small enough to fit into an Ethereum block.
  5. Minimizing (target keeping at zero) any trust or relying on admins.
  6. Making it scalable to be able to handle a growing number of voters.
  7. Making it dispute-free (such that the implementation doesn’t depend on an external entity having to dispute an incorrect proof; thus interrupting voting).
  8. Not requiring a collateral deposit from an admin or voters.

Approaches

My early research has led to some preliminary approaches in solving the problem at hand. These are the approaches and trade-offs.

Funding Breakdown

I am requesting 12 ETH per month for 3 months, paid monthly to get some proof of concepts working. An additional 1 ETH to cover infrastructure and gas expenses.

Timeline

Weeks 1-3: Planning and continuing research, including literature review and sharing findings.

Weeks 4-5: Proposing plan of how proof of concept will work

Weeks 6-10: Implementation of proof of concept on testnet

Weeks 11-12: Report of design and proof of concept results and plan for on-chain prop

Success Metrics

Although this is not an easy problem to solve as its highly unexplored territory, my hope is that we can check off as many of these objectives during this 3 month part-time residency:

  • Get proof of concept implementation up on Goerli allowing token holders to vote on a proposal without revealing if they voted yes or no. Note: it will be known who voted and who didn’t.
  • Setting conditions up such that not every token holder is required to vote.
  • Not requiring excessive preparation ceremonies for each vote.
  • Ensuring that the proof is small enough to fit into an Ethereum block.
  • Making it scalable to be able to handle more voters.
  • Minimizing (target keeping at zero) any trust or relying on admins.
  • Making it dispute-free (such that the implementation doesn’t depend on an external entity having to dispute an incorrect proof interrupting voting).
  • Not requiring depositing collateral from an admin or voters.

Conclusion

I am excited to be working at the intersection of two of my great passions – applied math and Nouns.

My hope is that we are able to achieve Private Voting for the DAO and for Nouns to be the first to make this huge leap for web3.

6 Likes

This proposal looks fantastic I am excited to see it come to fruition.
I appreciate your dedication and effort in putting it together. This is a great thing to focus on

1 Like

Excited about this. It feels to me like the best quick and dirty solution is to rely on another blockchain (i.e. approach #2). Are there working examples of this? The cons you lay out don’t seem super significant to me.

1 Like

This is really cool, I’m enjoying learning about this side of the dao.

1 Like

Hey @0xDigitalOil and Nouns community,

About Me

I am a ZK researcher and co-founder of Poseidon ZKP (https://twitter.com/Poseidon_ZK). I am also an nouns owner (that is for my anonymous identity so I won’t disclose which one I own in public :stuck_out_tongue: ) and big fan of Nouns DAO. I published one of the first ZKML paper and the technique was adopted by worldcoin.

My Previous talks on ZKP:
DEVCON 6: 1. Devcon VI Bogotá | Workshop 1 - Day 3 - YouTube
ZK Summit 8: ZK8: Poseidon VM: A zkApp friendly blockchain virtual machine - Shumo Chu & Brandon Gomes - Manta - YouTube

The Applied ZKP Workshop I Organized: GitHub - Poseidon-ZKP/Applied-ZKP-Workshop: Applied ZKP Workshop for building zkDApp on Ethereum

How Poseidon ZKP Can Help Nouns Build Anonymous Voting

Poseidon ZKP is a on-going project that is partially funded by 0xPARC and works closely with Privacy Scaling and Exploration group of Ethereum Foundation. Poseidon ZKP implementes a set of highly optimized ZK circuit as primitives so that application developers can use Poseidon ZKP as black box API and SDK to build zkDApp purely using Solidity. zkVote is one of these primitives.

How does Poseidon ZKP’s anonymous voting works?

ZKP Circuits

The core idea is anonymous membership proof + external nullifiers. All the member who are eligible to vote can join an anonymous group. Then, a valid vote requires verify two things in ZK:

  1. the voter is part of the group
  2. the voter hasn’t voted this event yet (using the external nullifiers)

Currently, Poseidon ZKP contracts has built circuits and unit tests for both, as well as a demo zkDApp (more details later).

Fee Relayer

In addition to the circuits, a fee relayer is needed (otherwise gas fee payment would leak voter’s identity), Poseidon ZKP also built a fee relayer prototype based on open-zeppelin defender to handle that.

Customizability and Modularity

Poseidon ZKP is designed to be modular, so it supports using NFT as anonymous group credentials from the beginning. In the future, more advanced features such as hybrid voting can be added (voter can choose to be anonymous or not).

Core Technical Metrics of Poseidon ZKP’s zkVote (All on a M1 Mac)

  1. zkVote Gas Fee: 600K (can be further reduced to 300K)
  2. zkVote proof generation time: 5s in browser (using SNARKJS)
  3. zkVote circuit trusted setup participant time: 45s

Engineering Readiness

TLDR, the protype and zk voting demo is end to end work. We can make this to production in Q2 (with top tier ZKP code audit and trusted setup). I think we have already checked every boxes that @0xDigitalOil in success metrics

Get proof of concept implementation up on Goerli allowing token holders to vote on a proposal without revealing if they voted yes or no. Note: it will be known who voted and who didn’t.
Setting conditions up such that not every token holder is required to vote.
Not requiring excessive preparation ceremonies for each vote.
Ensuring that the proof is small enough to fit into an Ethereum block.
Making it scalable to be able to handle more voters.
Minimizing (target keeping at zero) any trust or relying on admins.
Making it dispute-free (such that the implementation doesn’t depend on an external entity having to dispute an incorrect proof interrupting voting).
Not requiring depositing collateral from an admin or voters.

Poseidon ZKP’s zkVote Demo

Note: It is deployed on Optimism Goerli and generates ZKP inside MetaMask (using MetaMask SNAP) thus require download MetaMask Flask. We could put the ZKP generation on the DApp as well.

https://zk-vote-web-two.vercel.app/

Poseidon ZKP zkVote Technical Details:

Collaborations

We would love to collaborate! Would love to chat with @0xDigitalOil (already DMed in twitter) to work on this together.

Funding

Happy to provide an updated funding proposal after discussing with @0xDigitalOil and would like to organize a trusted setup in Nouns community to make the zkVote fully decentralized.

2 Likes

I can see the value in private voting to a point, but I don’t think it would be good for the ecosystem in the long run. Votes being public creates for a lot of awkward moments and hard conversations, but we’re seeing people just now beginning to learn how to challenge each other and keep it civil. Cultivating this virtue is essential to the DAO in my opinion. To do anything to make that more avoidable is a negative in my eyes.

I also don’t think private voting would avoid quid pro quo voting, I just think it would keep it hidden and make the problem worse after a short period of adjustment in the beginning. Worse still, any allegations of collusion would then be unprovable forever rather than being open to inspection. Once that trust barrier breaks down, it would be very difficult to recover without returning to public voting.

I highly respect your thought process and would love to hear your thoughts.

1 Like

Thanks for this @xerophyte.

For the record, responded to your message on twitter and we have a meeting set.

Cheers!

Dear @AndrewLaddusaw,

Thanks for your response.

tbh, all very valid points.

I would counter with:

Private voting is as close as you can get to ensuring that social voting doesn’t occur. If Nouners try to circumvent behind closed doors, I estimate it would be a minority of Nouners in a minority of cases, as it won’t be easy and in most cases impossible to determine if the other party kept their end of the deal. The minority of cases where you could “determine” if the other party kept to their promise, would be edge-case voting outcomes like unanimous votes where you know for certain how every voter voted, or votes where the number of ‘for’ or ‘against’ votes is exactly equal to the number of votes under the control of a particular Nouner or delegate.

In contrast, what we have now is a situation where nearly every Nouner is undoubtedly under pressure at voting time; whereas private voting allows for voting freely and true to one’s beliefs, as it should be.

In summary, and to your first point, I think it is a worthy virtue for the DAO to figure out healthy social voting, but it hasn’t been solved yet, there is no guarantee that it will be, or that if it is that it will withstand the passage of time. For this reason, I rather go with a solution that is much more likely to solve the problem at hand.

Feel free to counter again, as the premise/necessity for this prop is as important as the innovation itself.

Cheers!

1 Like

It seems to me that a choice must be made between privacy and the potential to recognize a cartel

In addition, the possibilities for collusion are very limited due to the high cap of Nouns collection

2 Likes

Much needed and something we’ve talked about a ton at House of Nouns. Big ups on this prop idea.

2 Likes

Valid point.

My view is, there are cases we need transparent voting, there are cases we need private voting. If you think about that, modern democracy requires voting in private for a reason. The point of building a ZK based voting system is to give voter or each single voting event a privacy option, there could be 3 kind of votings:

  1. fully transparent
  2. fully private
  3. each voter has an option to choose stay private or transparent

I am not an governance expert, but having privacy voting at least as an option is a very good thing in my view.

1 Like

Yes, I agree that once we understand more deeply what is possible with private voting for Nouns DAO, we need to have a conversation regarding if we want every single vote to be 100% private, hybrid, or have the option for votes to be completely open or completely private.