# Anounamous- Private Governance for NounsDao: Vote Tallying and Outcome Decryption ### Deciding on our Methodology At the outset of research for this proposal, ideation originally surrounded a "self-tallying". We investigated the use of threshold signcryption as a way for vote decryption to be a factor of participation, where a proposal that does not cross the threshold cannot decrypt the outcome. Ultimately, this construction places too much responsibility on Nouns voters to be viable. Despite this, we have an eye out for academic research regarding these schemes with the hopes that new innovations can be used. Self-tallying would have been a `t-of-n` threshold decryption scheme dependent on `t` voters showing up. After being convinced of the inefficacy of `t-of-n` decryption, our ideation around `n-of-n` decryption quickly began to converge on the solution proposed by [Nouns-Vortex](https://prop.house/nouns/private-voting-research-sprint/3783). Though our proposal has novelty around the use of ECDSA and storage proofs, we credit Nouns-Vortex with the idea for the tallying committee. The deadline of the proposal has not yet allowed us to investigate the use of "[Oblivious Transfers](https://arxiv.org/abs/2010.02421)" to facilitate voting instead of additive homomorphism. We intend to continue our research into this scheme and may alter our scheme before/ at the beginning of the grant work (if accepted). In any case, the tallying of votes happens onchain in encrypted space, using the additive homomorphic algebra prescribed by either Paillier or ElGamal. The tally is still encrypted until the tally committee decrypts the outcome. ### Tallying Committee The requirements of tallying are too high for the average voter to participate, either via MPC or stake slashing. Instead of requiring every voter to participate in tallying, we can instead have a voluntary committee where high net-worth Nouns holders can stake their tokens for the right and obligation to participate in the threshold decryption. Zero Knowledge can protect from fraud by proving correctness of encryption & therefore tallying. However, without efficient and asynchronous MPC for self-tallying, the severity of negligence or malice in governance demands financial stake which can be slashed for bad behavior. Like ECDSA, we can employ a [threshold scheme for Paillier](https://eprint.iacr.org/2019/1136.pdf) ([or threshold scheme for ElGamal](https://cachin.com/cc/sft12/distcrypto.pdf)). Since the tallying committee can be subjected to stringent liveliness requirements, there is little concern over the practicality of distributed key generation. It is important to note that nodes on the tallying committee must have some sort of exit queue that allows them to exit without disrupting proposals. It is possible that the committee can preemitively compute a new PHE threshold key when a new node wants to enter or exit without impeding the ability to create new proposals. Importantly, encrypting votes with the threshold PHE public key does not prevent retroactive decryption of a given message. If all nodes on the committee chose to collude, they could decrypt any of the votes posted onchain. The Nouns-Votex team assumes that the committee will not collude, given that collusion could break the privacy of their own votes. This is a reasonable assumption, however, it would not prevent the committee from tracking the order of their own submissions and decrypting all messages that were not sent by committee members. It is not trivial to facilitate perpetual secrecy without trusting in the non-collusion of the tally committee. In practice, performing this attack against every voter except the largest nouns holders would still deanonymize large holders. The less private votes there are, the easier it is to deduce the votes of any given large-cap holder. Thus, this attack would have to be performed sparingly against specific users to be done "safely". We are considering augmenting this system with a [mixnet](https://labs.ece.uw.edu/nsl/papers/proceedings-06.pdf) that scrambles the order of messages. Though the secret committee could deduce all of their own messages, mixing the order of encrypted votes would make it far harder to target a specific identity to deanonymize by collusion. Aztec Connect will likely be the infrastructure employed to facilitate vote mixing/ batching, however it requires more research and ideation between the Anounymous proposal team and Aztec. ### Future Improvements: Verifiable Delay Functions Even if it is impractical or even impossible to perpetually shield the individual votes of a nouns holder, it is viable to at least make decryption of votes *during the vote period* impossible. We can employ a "[Verifiable Delay Function](https://www.monash.edu/it/ssc/cybersecurity/seminars/2020/verifiable-delay-functions)" which takes (at least) as long as the voting period to compute. This computation would yield a private key to a independent (of any one tally node) keypair added to the PHE threshold. Decryption by the `n-of-n` tallying committee would necessarily be blocked from running until the end of the Verifiable Delay Function.