# How to do ZK Governance for Kusama
The difficulty in implementing anonymous variable weight voting is that a public running tally reveals who voted simply by looking at the weights and searching for the account that locks the exact amount when the tally goes up. As such, even if you kept the accounts hidden, you could link votes with the amount.
With 1 person 1 vote, we can use the RingVRF to ensure that each person can only vote once. This approach will be used by the People Collective/Web3 Citizenship pallet.
There are a couple of approaches to address this problem for token weighted voting:
- *Homomorphic Threshold encryption ala Penumbra*. In this approach, we keep the running tally secret and only occasionally reveal it; where revealing with the less frequently, results in the better anonymity. The idea is to encrypt the amount in the vote to the validators using homomorphic threshold encryption. The validators add this to an encrypted running total of, say, aye votes. At some point, the validators decrypt and publish the current total. We need this decryption to reveal nothing about the intermediate totals, even to a coalition of voters that doesn't include a few voters who voted. This is not an easy scheme, but others have done it. This might be possible if we combine our threshold encryption ideas with Penumbra's scheme and get a homomorphic threshold encryption.
A downside of this approach is that 2/3 of the validators at the time of the vote could collude to decrypt the vote and work out the amount so they know who voted. They can do this privately and as such there is no way to punish the colluders in any way. Similarly, they can preserve the encrypted transcripts and collude publicly in the future when they no longer have bonded KSM.
- *Having users split their voting stake*. In this approach, we establish a ring for every power of two multiple of KSM. Subsequently, a voter could lock for example 512 KSM and later use a RingVRF proof against the 512 KSM ring, which would show only that they were someone who locked 512 KSM. Upon receiving the proof we add the amount to the public running tally. The advantage to this method is that we can use the existing support/approval curve referenda with no changes.
The downside is number of transaction needed for this approach and managing their timing. If the user wants every last KSM counted, they would have to split their stake and put it into several of these rings. They could then vote simultaneously, however, this basically reveals their amount. Alternatively they need to submit several separate transactions at different times. We could use a shielded pool in order for the user to be able to perform many unlinkable locking transactions, joining many rings or rings multiple times to hide that they are a whale.
The upside is that the secrecy we do is far less conditional compared to the homomorphic threshold encryption approach.
Sign in with Wallet
Connect another wallet