Funding Request: Aragon Zero Knowledge Research guild 2023

Summary

The Aragon research team is uniquely qualified to develop a prototype of a censorship-resistant, privacy-first voting system for DAOs. This system is a critical missing component in the web3 space that requires a deep understanding of cryptography and math to meet its high security needs. The team has multidisciplinary skills and a track record of success that make them well-equipped to tackle this long-term project. Their work aligns with Aragon’s mission and strategy and will be a major focus for the team over the next 14 months, from January 2023 to February 2024. Funding this project will allow the research team to continue building on their strengths and make significant contributions to the field of web3 technology.

Period 12 months (1st March 2023 - 29th February 2024)
Requested budget US$ 1,602,589
Full-time positions 9 (i.e. 8 full-time + 2 half-time equivalents)
Main outputs • Prototype of a privacy-centric censorship-resistant voting system for web3
• POCs, software implementations and research publications
• Support to Aragon DAO contributors for the integration of the voting system, some of its components, or other software developments done by AZKR
• Knowledge transfer on Cryptography, Security, Zero-knowledge, and Mathematics to Aragon DAO contributors
Aragon impact • Contribution of a missing key primitive (a “secure” voting system) for safe participation in (Aragon’s) DAOs
• Position Aragon as a player in the zero-knowledge space
• (Potentially -by integrating deliverables in Aragon) Add utility to the ANT token
Broader impact Open sourcing research on applied cryptography (documentation and software)

Strategic alignment with Aragon

Why does Aragon need a research team?

Web3 companies need to understand math, cryptography, and computer science to keep up with the fast-growing technical innovations in the field. Leading organizations such as Aragon should also contribute to these areas of development and have teams dedicated to them. Building these teams takes time and requires multidisciplinary, knowledgeable team members who can collaborate and experiment.

The setup phase (January - August 2022)

The Aragon research guild was established in late 2021 with the goal of producing proofs-of-concept (such as OVOTE) by leveraging ZK (zero-knowledge) technology to solve decentralized governance challenges. Another goal is to facilitate both vertical and horizontal technology transfers to other Aragon guilds. The guild spent the first few months building the team, identifying areas of interest, and establishing a foundation of knowledge. In May, it set up its blog (https://research.aragon.org) and released its first software PoC: OVOTE. The support its mission, the AZKR guild follows the latest developments in zero-knowledge cryptography, experiments with existing tools and publishes research and training materials related to this area.

The First OKRs season (September - December 2022)

The AZKR guild adopted the objectives and key results methodology in September, with a focus on off-chain voting and private voting. During the first season, the guild accomplished several significant outcomes, creating software prototypes (e.g. blind-OVOTE) and production-ready tools (e.g. SHA512 implementation for Aztec’s Noir language), publishing technical documentation and training materials, and giving talks on private decentralized voting. Further details of our production are provided the annex Team production at end of this document.

Next steps (January 2023 - February 2024)

In light of the Aragon Key Result for 2023 “Voters in Aragon have the option to vote anonymously” of the Objective “Reach defensible product market fit for App & Core”, from January 2023 to February 2024 the AZKR guild will focus its efforts on developing a prototype of a censorship-resistant, privacy-first voting system for DAOs, code-named CeresVote. This is a critical missing component in Aragon’s DAO toolset for enhancing basic participation rights of DAO members, such as privacy. Its development requires a deep understanding of cryptography and math to meet its high security needs. Building on our multidisciplinary skills, our previous work and the resources of this proposal we firmly believe that we can have such a prototype ready for integration by third parties (e.g. App & Core and Vocdoni guilds) by the end of the aforementioned period of time.

As CeresVote will be developed independently of existing ZK platforms, this will open up the possibility of ANT being used to help govern CeresVote, or to secure its infrastructure.

Goals and activities

Primary Goals

CeresVote prototype

The main goal for 2023 is the development of a prototype for a censorship-resistant voting system for DAOs, internally code-named CeresVote (CEnsorship Resistant) with the focus on maximal privacy, verifiability (individual, universal, and eligibility), and decentralization. Such a voting system is an indispensable primitive for any project aimed at becoming a trustless governance hyperstructure like Aragon as it is fundamental for i) the safe participation of the DAO members in the decision making processes and ii) the legitimacy of the decisions taken. The system will use layer 2 ZK-rollups and recursive SNARK technology, and will be built as a COSMOS zone. Its main features will include census creation, voting on ZK-rollup nodes, vote aggregation and proof generation on ZK-rollup nodes, and on-chain execution of vote results on Ethereum or any EVM-compatible chain. The prototype will be intended for further development into a production-ready product, but some features and functionality, including user interfaces, may still be limited or incomplete. The AZKR guild also plans to research and potentially develop recursive and aggregated ZK proofs, which have the potential to be powerful tools with clear applications for the CeresVote project.

To summarise CeresVote:

  • It is not meant to be a generic e-voting solution, but is specifically meant for web3 DAOs with very specific requirements: safe participation (privacy/anonymity), censorship-resistance and low cost on-chain execution (Ethereum/EVM-chain).
  • Fulfilling these requirements is not trivial, therefore a significant amount of the efforts must be spent on research, even though we can leverage the team’s existing knowledge and experience.
  • The end result will be a prototype that can later be integrated/adapted by 3rd parties (e.g. Aragon DAO or Vocdoni)

Develop recursion and aggregation of ZK proofs

The AZKR guild plans to research and potentially develop recursive and aggregated ZK proofs, which are still in their infancy and have significant potential as a powerful technology. The guild aims to research the state-of-the-art of existing recursive tooling, theoretical research in the field, and suitable elliptic curves, as well as potentially creating additional recursive SNARK applications. Recursive and aggregated ZK proofs have clear applications for the CeresVote project, such as aggregating users’ ZK proofs of census membership and using recursion to chain ZK proofs and results. The guild will decide on whether to create standalone tools or contribute to existing toolsets, such as Arkworks, after the initial research phase which will take place during 23Q1.

POCs and implementations of cryptographic schemes

The AZKR guild plans to develop proofs-of-concept (POCs) to test the feasibility and functionality of concepts and identify potential challenges or implementation issues. One POC will be an experimental COSMOS blockchain with a simple voting system, and the guild also plans to experiment with connecting digital identity systems to voting systems. Depending on the outcome of research and the requirements of the CeresVote project, the guild may also develop additional POCs during the year. In addition, the guild plans to work on implementations of cryptographic primitives, such as the Poseidon hash, which is currently a missing feature of Aztec’s Noir language. This will contribute to the guild’s reputation in the ZK space. The guild expects to complete about one implementation per quarter, with the first being the Poseidon hash in 23Q1.

Other Core Research Activities

The AZKR guild has several other activities planned for the coming year:

  • Fundamental research (taking up 20-25% of the team’s resources):
    • Continue with regular mathematics and cryptography seminars in order to maintain the team’s ability to understand the newest research publications related to zero-knowledge proofs, which are fundamental to e-voting. This may lead to occasional publications in the form of blog posts.
    • Follow research publications in the fields of cryptography, particularly those related to zero-knowledge, privacy, and e-voting, and monitor the development and emergence of new technologies in the ZK space. Occasional technical reports may be published as a result.
    • Work on original research and publish 2 papers per year on zero-knowledge proofs.
  • Attend and organize meetups and conferences, and improve the visual quality of the AZKR blog in 1Q23.
  • Support other Aragon guilds with questions related to cryptography and cryptographic tools.
  • Establish new partnerships with other researchers and research organizations to increase and diversify our ability to follow the latest developments in cryptography, and for joint developments like cryptographic primitives. Maintain existing partnerships (e.g. Aztec).

Methodology

To ensure the achievement of the goals of this proposal we will combine a long-term work plan base in the waterfall approach with the Objectives and key results (OKRs) methodology for quarterly planning and success evaluation -as we have done in the last quarter of 2022.

Work plan

Table 1 presents the proposed work plan. This work plan will be periodically reviewed and updated when needed according to the outputs of the OKRs iterations, the research findings or other project development needs. The following chart shows a summarized version at work package (WP) and their lead.

Full details of the initial work plan, including tasks, participants, and main outputs, can be found in this google spreadsheet.

Objectives and key results 23Q1

The OKRs for the first quarter of 2023 (1st January - 31st March) follow. Please note that i) we use standard quarters, thus, the first two months (January and February) are not part of this proposal in terms of execution period and budget. AZKR-23Q1-O1 will take around 60% of the team effort, and AZKR-23Q1-O2 and AZKR-23Q1-O3 about 20%.

AZKR-23Q1-O1 An anonymous censorship resistant voting solution has a draft design that allows for implementation to begin

  • ARZR-23Q1-KR11 Technical and functional requirements have been defined and approved by the Executive Director, Research Lead, and Head of Product Development.
  • ARZR-23Q1-KR12 Literature and market analysis for anonymous censorship resistant voting solutions, including cryptographic primitives, census, and e-voting solutions, have been compiled and reviewed by an external specialist.
  • ARZR-23Q1-KR13 Literature and analysis for ZK proofs and toolsets for integrating them has been compiled and reviewed by an external specialist.
  • ARZR-23Q1-KR14 Draft designs of essential components, including Census and Eligibility and voting process types, have been produced and approved by Research Engineers.

AZKR-23Q1-O2 Deliver in progress POCs and software implementations

  • ARZR-23Q1-KR21 Poseidon hashing algorithm in Noir has been implemented and integrated into the Aztec Noir repository.
  • ARZR-23Q1-KR22 Elliptic curve primitives in Noir have been implemented and a pull request made in the Aztec Noir repository.
  • AZKR-23Q1-KR23 A fully operational Blockchain/COSMOS zone is deployed and made available to AZKR guild for testing.
  • AZKR-23Q1-KR24 A prototype implementation of BatRaVot has been deployed on an Ethereum testnet.

AZKR-23Q1-O3 Increase knowledge transfer to Aragon DAO

  • ARZR-23Q1-KR31 4 blog posts on relevant topics have been posted in the AZKR blog.
  • ARZR-23Q1-KR32 3 technical reports have been produced and shared with Aragon’s technical team.
  • AZKR-23Q1-KR33 1 meetup or event organized by the AZKR guild and hosted by Aragon.
  • AZKR-23Q1-KR34 3 teaching sessions on relevant topics conducted.
  • AZKR-23Q1-KR35 A methodology to assess our knowledge transfer tasks has been defined and the first set of results obtained and shared.

Team

Team Leads

The Team Leads coordinate the work of the entire team and are responsible for representing the team, both internally and externally. However, they also take hands-on responsibilities in specific projects and thus contribute to the team’s production.

H1 - Head of Research. Previously served as a blockchain governance and tokenization expert at a European Body. Research interests include mathematics, consensus protocols and monetary theory.

H2 - PhD, Research Manager and guild steward. Assistant professor at a European university. Extensive experience as research engineer and project manager in e-voting and network infrastructure.

Research engineers

Research engineers play a crucial role in developing proofs-of-concept (POCs) and prototypes. They are skilled in using complex cryptographic toolsets and may also contribute to the development of these tools as needed. In order to effectively carry out their work, research engineers must possess a strong understanding of cryptography and cryptographic primitives, as well as advanced software engineering skills. They may also be responsible for implementing schemes developed by cryptography researchers.

H3 - PhD, Research engineer. Software developer with a strong background in pure mathematics. Currently focused on the implementation of cryptographic primitives and voting systems. Previously postdoctoral scientist at a European university.

H4 - Research engineer. Extensive experience in ZK programming, currently focused on scalability and privacy with recursion. Previously worked at ZK-rollups related company.

H5 - Research engineer. Focused on privacy-preserving smart contracts and implementing cryptographic schemes.

H6 - Research engineer. Long experience in software engineering, database development and system design. Contributor to blockchain projects using Bitcoin, Ethereum, BSV and COSMOS. Co-author of several blockchain standards specifications.

Fundamental Researchers

The fundamental researchers on the team focus on creating new cryptographic schemes and on providing mathematical proofs that these schemes are secure. They stay informed about current research in the field and play a key role in selecting cryptographic schemes for the development of proofs-of-concept (POCs) and prototypes.

H7 - PhD, Cryptographer. Previously Assistant Professor at a European university, where he remains active as an external expert in Cybersecurity. Research interests are in cybersecurity, blockchain, cryptography, and in particular e-voting, functional encryption and ZK.

H8 - Mathematician. (we’re in the process of recruiting to replace a departing team member) Ideal profile: Math PhD with knowledge of cryptography, especially elliptic curve cryptography, and security proofs. Programming skills would be appreciated.

Risks and mitigation

Table 2 presents and classifies the most relevant risks identified and Table 3 the proposed mitigation measures.

Funding breakdown

Table 3 shows the total requested funding. This budget is for a period of 12 months, from March 2023 to February 2024. The budget estimation was done according to the following criteria:

  • Full-time workload, compensations and perks: the same policies as presently (as set by Aragon Association)
  • Team size: no changes (equivalent of 9 full-time positions)
  • Third-party service providers: only the costs for managing the legal wrapper have been budgeted ($ 1.000/moth) as we are choosing to go with the option where the Ops guild takes care of operational overhead.
  • Adjustment for inflation: 1.08 (for existing team members, as suggested by the Ops guild)
  • Unexpected expenses rate: 1.05 (as suggested by the Ops guild)
  • Conversion rate EUR to USD: 1.06 (as suggested by the Ops guild)

Table 4 shows the budget distribution over the 4 funding seasons.

Following the efforts started in 2022, the AZKR guild will continue our collaborations with third parties (Aztec) and look for new ones according to the following rules:

  1. Any additional funding must be used either to compensate for the extra work of the existing contributors, which in any case should not exceed the 15% of the workload or the compensation, or to extend the team with new hires.
  2. In any case the execution of this proposal has the highest priority, thus, interference or delays due to additional projects are not acceptable.
  3. The additional projects must be directly related to and contribute to achieve the goals of this proposal.

Annex - Team deliveries

Code

Implementations available in Github: https://github.com/aragonzkresearch

  • BatRaVot: BatRaVot implementation
  • Noir SHA2: Noir zk-lang implementation of SHA2 (SHA256 & SHA512) hash functions.
  • OVOTE: Offchain Voting with Onchain Trustless Execution (& ovote-node)
  • ark-anon-vote: Onchain anonymous voting implementation using arkworks-rs
  • ark-ec-blind-signatures: Blind signatures over elliptic curve implementation (native & r1cs constraints)
  • Blind-OVOTE: L2 validity rollup combined with blind signatures over elliptic curves inside zkSNARK, to provide offchain anonymous voting with onchain binding execution on Ethereum

Publications

Publicly available

Tech reports

Restricted access (internal notes for other teams in Aragon)

--------------------------------------------------------------------------------------------------------------------

5 Likes

Makes sense. Your work is extremely important for the broad industry, and even more so for Aragon.

I’m somewhat surprised to read this, as my understanding was that the rollups will settle transactions on Ethereum and not on its own app-specific L1. Any pointers about this decision?

3 Likes

Hi Luis, this is still very much about settling transactions and triggering funds transfers on Ethereum.

Rollups in general refer to proofs that are generated off-chain, possibly requiring significant computing resources. This is done so that the proof is as small as possible and thus less expensive to verify on Ethereum, under the condition that security is not compromised.

The unavoidable weak point of rollups is that the Ethereum smart contract designed to process proofs can only act on proofs that are submitted to it.

In some cases proofs can be definitive and the situation is quite straightforward. For example, in a 3-of-5 multisig, if a proof is submitted that 3 addresses have voted in favour, the situation is clear and a fund transfer can be initiated immediately.

However, in voting the situation may not be as simple. Imagine that ballots are submitted to a single rollup node, whose role it is to collect ballots and compute the proof after the voting period is over. Imagine that this rollup node is in fact malicious, and ignores some of the ballots received, based for example on the IP from which they were sent. The rollup node then generates a proof that excludes some ballots and submits that proof to the smart contract. The smart contract cannot know that this proof does not include all ballots cast. To mitigate this risk, additional fail-safe mechanisms must then be implemented: we can have several roll-up nodes (but then voters may need to submit ballots to several nodes); voters can monitor the proof being submitted and have the possibility to add their ballot manually to the smart contract if necessary (but we all know that voters will not all be as diligent); several parties can submit proofs, and the smart contract is able to aggregate proofs (at a cost of course), etc.

One reasonable solution to this is to have a rollup-chain, rather than just one or several independent rollup-nodes. The usual consensus mechanism will ensure that if at least 2/3rd of the nodes are honest, the rollup-chain will actually accept all ballots and compute a proof that takes all of these ballots into account.

Clearly this is not a panacea, but I think it’s an important element of making off-chain voting censorship-resistant.

The easiest solution right now seems to be a cosmos chain/zone, which is what we’re experimenting with at the moment, but this is not set in stone.

2 Likes