Aztec x Aragon bring private on-chain voting to Nouns
The Private Research Sprint
Private DAO voting has long been a holy grail. So when Nouns DAO recognized the urgent need for confidential governance, we teamed up with Aragon to answer the call.
Today’s Aztec x Aragon implementation of Nouns DAO’s private research sprint spec using Aztec’s universal zk language Noir is a massive step toward achieving private voting for the Nouns community and all decentralized organizations.
Private voting is the “real-world” default, and for good reason! Public voting has long been problematic for DAOs, creating:
- 11th hour voting problems
- vote coercion
- bandwagoning effects
Privacy-first governance can solve these issues, providing:
- vote privacy (confidentiality of vote)
- tally privacy (confidentiality of outcome)
The Aztec x Aragon proposal flexibly enables for all 3. Our proposal has minimal off-chain dependency by utilizing Ethereum storage proofs and timelapse encryption.
Here’s how it will actually work:
Phase 1: Nouns Census Using Ethereum Storage Proofs
In Phase 1, we develop a system for taking the census of all NFT holders using Ethereum storage proofs.
This is a unique feature of our proposal enabled by @NoirLang and Aztec’s UltraPlonk prover. The census proves Nouns ownership or delegation rights using on-chain data without revealing owner identities.
Functionally, it means Nouns owners are able to “find their spot” in the Ethereum data tree, proving that they own a Noun. It’s worth noting the UltraPlonk implementation with Noir is what enables the client-side storage proof.
To traverse the storage tree, the user may need to run >50 Keccak hashes to get to the right places in the tree and prove those storage slots contain the owner’s address.
Because Noir compiles to an intermediate representation (the Abstract Circuit Intermediate Representation or ACIR), our team can simply substitute a highly optimized UltraPlonk backend to run these hashes efficiently!
Phase 2: Vote Obfuscation with Delay-Relayers
In Phase 2, we ensure that addresses with multiple Nouns can also preserve privacy with the help of a vote delay relayer.
The problem faced by holders of multiple nouns is that of a diminished privacy set. That is, voters with only one Noun belong to the largest set of users. The more unique the number of Nouns held by an address is, the easier it is to identify which address cast a vote.
Therefore it’s important to decompose large holders’ votes into individual ones. Under our proposal, each NFT will have a unique vote, with vote relayers submitting on behalf of owners with multiple Nouns in order to obfuscate their origin.
The relayer’s sole purpose is to collect votes from Noun whales and spread the votes out over a long period of time. It has no access to the votes themselves, keeping wallet addresses private at all times.
Phase 3: Time-Lapse Encryption Service
In Phase 3, we propose implementing a time-lapse encryption service.
This delayed encryption mechanism achieves tally fairness and ensures no one can tally the proposal’s ongoing votes before the period ends.
This service publishes encrypted public keys regularly, revealing their corresponding private keys at a set time interval and allowing for votes to be aggregated and then tallied.
Once the private key is revealed, the votes are decrypted and the results tallied — much like opening a real-world ballot box.
Our proposal means that Noun owners can:
- prove Nouns ownership on-chain
- permanently preserve vote privacy
- obfuscate ownership of multiple Nouns
- cast votes in one step
In our exploration of further work, we discuss optimizations to the timelapse encryption scheme, support for multisigs, and private gas payment schemes.
We also want to shout out The Anounymous Proposal by Mach34 utilizing Noir to enable private voting — we’re excited to collaborate among all teams regardless of affiliation!
For more background on our proposal, Nouns, and the private research sprint, check out these resources:
Build on Noir
Private voting. Encrypted games. Proving off-chain compute.
All of it is made possible with Noir — the universal language of zero knowledge. Noir is a zk circuit writing language that allows you to use any crypto backend and verify to any EVM chain.
⚫️ Learn more and get started with Noir with our documentation.
Have questions about the Aztec Proposal? Jump into the Aztec Discord!
Get in touch with the authors of the proposal:
Interested in working on the hardest problems bringing ZK mainstream?
See Aztec’s open positions here.