# Anounamous- Private Governance for NounsDao: ECDSA Most blockchains use ECDSA key pairs on the secp256k1 curve. In the past, [ECDSA in zero knowledge circuits has been prohibitively expensive](https://0xparc.org/blog/zk-ecdsa-1). However, these benchmarks reflect the cost of verifying ECDSA signatures inside Groth-16 circuits. [UltraPlonk](https://zcash.github.io/halo2/concepts/arithmetization.html), a PLONK variant optimized with “lookup tables” and “custom gates”, offers ECDSA signature verification in ~36,000 constraints (measured in Aztec Noir). This sort of verification can be performed in the browser in a matter of seconds. The desire for hardware compatibility combined with the recent innovations in ZK ECDSA verification led us to recommend the use of ECDSA over "Zero-Knowledge friendly" curves/ signing. ECDSA is already used on-chain, so we need it to prove provenance over the nouns voting weight we proved to exist in the storage proof. In order to facilitate multisignature wallets, we need to employ a “[threshold signature scheme](https://blog.pantherprotocol.io/threshold-cryptography-an-overview/)”. Until recently, the underlying “[verifiable secret sharing](https://medium.com/nethermind-eth/a-tour-of-verifiable-secret-sharing-schemes-and-distributed-key-generation-protocols-3c814e0d47e1)” mechanic needed for the multiparty computation required synchronicity. In our context, this means that all the keyholders of a multisig that owns Nouns would need to be online at the same time to trustlessly compute a shared key. Novel innovations in “asynchronous verifiable secret sharing” [[GS23]](https://eprint.iacr.org/2022/506.pdf) have recently paved the way for [practical ECDSA threshold signatures](https://medium.com/dfinity/threshold-ecdsa-the-key-ingredient-behind-the-internet-computers-bitcoin-and-ethereum-cf22649b98a1) that meet the requirements of the Nounsdao private governance spec. For total trustlessness, GS23 prescribes a consensus layer for the ordering and availability of the secret share commitments made by each key holder. However, GS23 considers distributed key generation in a highly adversarial environment. In the case of multisig wallets holding Nouns tokens, we believe that each keyholder’s incentives are aligned such that the holders can reach a consensus on secret commitment ordering through private but centralized means. Should research and/or experience reveal that incentives are misaligned, we would employ our novel Zero Knowledge State Channel construction to facilitate the correct ordering of transactions. These state channels can reside in centralized, end-to-end encrypted databases to ensure the liveliness and correctness of an ephemeral state computation without paying gas. Note on Recursion: Aztec Noir will eventually support [PCD recursion](https://tlu.tarilabs.com/cryptography/trustless-recursive-zero-knowledge-proofs#proof-carrying-data); with this improvement, we will be able to construct a “Key Provenance” proof that allows an ECDSA key to prove ownership of an EdDSA key. This can be combined with the storage proof to authorize the use of voting weight for “free” (we needed to do this for key provenance anyways). A similar construction can be used to enable true multisignature wallets, where this implementation proposes the use of multi-party computation to emulate the desired functionality of a multisignature wallet in Zero Knowledge. This would enable the key holders of a multisignature wallet to asynchronously commit their signatures to a given vote without the online requirements of MPC for distributed key generation. PCD recursion allows us to [treat the process of a top-level proof recursing subproofs in a nearly identical way to main functions calling helper functions](https://www.youtube.com/watch?v=6mcCyQXm8vo), and the availability of PCD recursion should prompt Nouners to evaluate how the functionality of their private governance can be augmented.