owned this note
owned this note
Published
Linked with GitHub
# Anonymous voting in the Vochain without trusted-setup
<span style="float:right;font-style:italic;">[AragonZKResearch](https://research.aragon.org), 2022-09-09</span>
<br>
Note: this document does not focus in the cryptographic neither in the mathematical perspective, it focuses in the engineering perspective.
## Preliminaries
zkSNARK proving schemas:
- **Cheap-to-verify-in-EVM with TrustedSetup**: Circom uses [Groth16](https://eprint.iacr.org/2016/260.pdf), its benefits is that the proofs are small and cheap to verify in Ethereum, but it needs circuit-specifc trusted-setup.
- **Not-so-cheap-to-verify-in-EVM with UniversalTrustedSetup**: Other proving systems such as [Plonk](https://eprint.iacr.org/2019/953.pdf) and original [Marlin](https://eprint.iacr.org/2019/1047.pdf) do not need circuit-specific trusted-setup, but an *universal* trusted-setup (one TS that can be reused among different circuits). The proofs are a big bigger and expensier to verify in Ethereum (compared to Groth16), but still acceptable.
- **Not-verifiable-in-EVM without TrustedSetup**: Other proving systems such as [Bulletproofs](https://eprint.iacr.org/2017/1066.pdf) and [Halo](https://eprint.iacr.org/2019/1021.pdf) do not require trusted-setup. Additionally, Marlin can be used with the IPA commitment scheme, which makes it not require neither a trusted-setup. The proofs are bigger and not fitting to be verified in Ethereum.
## Current approach
- [Vochain](https://docs.vocdoni.io/architecture/services/vochain.html) uses data structures compatible with *circomlib*
- (eg. concrete Poseidon for hashing, concrete MerkleTree for census, concrete BabyJubJub EdDSA for signing)
- Use of Circom for the Groth16 zkSNARK proof generation
- Requires circuit-specific Trusted Setup
<div class="c-row">
<div class="c-column">
#### Pros:
- Full solution already implemented in the Vochain
- The cryptographic primitives have Go lang implementations (poseidon, babyjubjub, merkletree, etc) integrated in the Vochain Go code
</div>
<div class="c-column">
#### Cons:
- Needs circuit-specific Trusted Setup
</div>
</div>
<br>
Current anonymous voting *circom* circuit impl: [vocdoni/zk-franchise-proof-circuit](https://github.com/vocdoni/zk-franchise-proof-circuit)
## Possibility to remove Trusted Setup
**Motivation**: As in the Vochain there are not the EVM limitations of the Ethereum-chain, the Vochain zkSNARK proofs are not *limited* to Groth16 (with Trusted Setup), and other schemas could be used (which can not be used in the EVM) that would allow to remove the need of a trusted-setup.
- Instead of Circom & Circomlib, use the [arkworks](https://arkworks.rs) stack
- Removing the need for Trusted Setup:
- In arkworks you can use the same circuits with Groth16, Marlin, etc.
- Marlin uses a commitment scheme for the proofs, for example KZG10, which requires only *Universal Trusted Setup* (not circuit-specific, like in Plonk)
- Furthermore, Marlin can be used instead of with KZG10, with IPA commitment scheme (the commitment scheme used by ZCash in the future version)
- IPA does not need Trusted Setup (but too expensive to verify in Ethereum, but viable in the Vochain)
$\Longrightarrow$ With this approach, the Vochain could use Marlin+IPA for anonymous voting inside the Vochain (without Trusted Setup), and then Groth16 for binding Vochain results into Ethereum-chain EVM contract (with Trusted Setup).
<div class="c-row">
<div class="c-column">
#### Pros:
- Flexibility to use it without Trusted Setup
- The same data structures & arkworks code can be used in the Vochain with Marlin+IPA (no trusted setup, but expensive to verify inside ethereum), and also can be used in the Ethereum chain with Groth16 (trusted setup, but cheap to verify inside ethereum)
</div>
<div class="c-column">
#### Cons:
- Vochain data structures are not currently compatible with the arkworks cryptographic primitives (poseidon, ellipticcurve, merkletree, etc)
- Two options: A) Vochain data structures are migrated to arkworks compatible B) Implement in arkworks data structures compatible with circomlib (the ones currently used in the Vochain)
</div>
</div>
<br>
Anonymous voting *arkworks* circuit & library impl: [aragonzkresearch/ark-anon-vote](https://github.com/aragonzkresearch/ark-anon-vote)
## Circuit impl
- Current anonymous voting ***circom*** circuit impl: [github.com/vocdoni/zk-franchise-proof-circuit](https://github.com/vocdoni/zk-franchise-proof-circuit)
- Works only with Groth16 (and naive Plonk)
- Can be verified in Ethereum & Vochain needing TrustedSetup
- New anonymous voting ***arkworks*** circuit & library impl: [github.com/aragonzkresearch/ark-anon-vote](https://github.com/aragonzkresearch/ark-anon-vote)
- Can be used with Groth16, Marlin+KZG10, Marlin+IPA, and others.
- Can be verified in Ethereum needing TrustedSetup, and in the Vochain without TrustedSetup
## Conclusion
This document is not made with the intention to push for a specific approach, but to present a way to have Vochain anonymous voting without trusted setup, while presenting the context and the different benefits and tradeoffs of the mentioned approaches.
There might be a 3rd approach that might work also, which would be keep compiling the circuits with `circom` and then using `ark-circom` try to use it in `arkworks` thus being able to use the different zkSNARK proving systems available in arkworks. In this way we could still the current Poseidon hash, babyjubjub keys & merkletree from circomlib (the ones currently being used in the Vochain, but generating the proofs with arkworks and using Marlin+IPA thus no trusted-setup.
But is not clear yet if it might be possible or not.
<style>
.c-row{
background:#f0f0f0;
}
.c-row:after {
content: "";
display: table;
clear: both;
}
.c-column {
float: left;
width: 50%;
padding: 10px;
}
/* CSS hack to add section numbers to titles,
starting from h2.*/
/* Titles numbers */
.markdown-body h1 {counter-reset: h2}
.markdown-body h2 {counter-reset: h3}
.markdown-body h3 {counter-reset: h4}
.markdown-body h2:before {counter-increment: h2; content: counter(h2) ". "}
.markdown-body h3:before {counter-increment: h3; content: counter(h2) "." counter(h3) ". "}
.markdown-body h2.nocount:before, .markdown-body h3.nocount:before { markdown-body: ""; counter-increment: none }
.markdown-body h1:before, .markdown-body h2:before, .markdown-body h3:before {
color: #737373!important;
}
/* TOC numbers */
.toc ul li ul {
counter-reset: section;
list-style-type: none;
}
.toc ul li ul li::before {
color: #919191!important;
counter-increment: section;
content: counters(section, ".") " ";
}
</style>