References to sub-documents The slides that capture a subset of this information can be found here. An analysis of some membership proof based options can be found here. An analysis of some SNARK-based options can be found here. A brief comparison of some encrypted votes based options can be found here. Vocdoni's post on anonymous voting (introducing some helpful vocabulary) can be found here. What we want to achieve
12/5/2022In all of the options below, the way that the protocol works is that voters solve an equation that is only solvable to people who have a secret key corresponding to one of the public keys in the census, and use this proof to sign a message. The message is not encrypted, and the content of the message is the voter's vote. (Domain-separation information such as chain id and process id can also go into the message, in order to provide replay protection.) DualDory DualDory: Logarithmic-verifier linkable ring signatures through preprocessing This is an elliptic curve discrete log-based scheme, with pairings-based preprocessing. This scheme is very new, but a huge plus is that it is implementable and launchable today, with no future research needed. Pros: Usable today Linkable out of the box
11/16/2022Groth and Kohlweiss introduced the concept of one of many proofs in their 2014 paper, which also proposes the first O(logN) construction of the concept. One of many proofs are at their heart a membership proof, also know as a ring signature. In other words, whereas a normal digital signature attests to the statement ‘I know the private key that corresponds to this public key’, ring signatures prove the statement ‘I know the private key that corresponds to one of the public keys in this list’, without revealing which of the public keys that it is. Without the privacy requirement, the list of public keys could simply be a list, and the signature proving that the signer knows one of them could simply be a digital signature like ECDSA or edDSA, as is used in many multi-sig accounts. But that reveals which or the public keys the signature corresponds to, and so, would reveal, for example, specific individuals’ spending habits. This could make them, for example, more vulnerable to coercion, etc. So ring signatures keep that information private. Privacy in the cryptocurrency space, due to either Zcash’s domination of mindshare, or the simpler model of programming with a snark DSL, rather than reading 1 million cryptography papers and implementing things for scratch, and the specialists audits that requires, is often thought of as very snark based. The main way to do this is to put all the participants public keys into a merkle tree, and then have them prove knowledge of one of the merkle paths and the secret key corresponding to the public key at that leaf. Constructing this within a snark involves a lot of hashing, and traditional hash functions are famously snark-unfriendly. CUE RING SIGNATURES ;) At a high level, the way ring signatures work is that there is a challenge based on all of the potential PKs, and then the prover uses their secret information (their sk) to produce a response that will verify against the list of PKs, without revealing which specific PK their sk corresponds to.
10/7/2022or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up