Zero Knowledge Proofs and DAOs: How to Build a Private Organization

Zero knowledge proofs today “can be compared to how the space of computers looked in the 70’s,” said Artem, research engineer for the Aragon Zero Knowledge Guild on a Twitter space.

“Back then, everyone could create their own processor. Now, everyone can create their own proving systems and their own languages, but there’s no dominant solution in the market.”

This pace of innovation and divergent approaches in the ZK world is exciting, but also challenging. Regardless of the challenges in this nascent space, we see tons of possibilities for how this ZK technology can be applied to DAOs.

So, we talked to one of our ZK research engineers right here in Aragon to learn about Zero knowledge proofs and how DAOs can use them to build private organizations.

What are Zero Knowledge Proofs?

A proof is when someone proves a fact to someone else. You essentially prove that you did some type of computation correctly.

Zero knowledge adds a layer of privacy on top of that.

A zero knowledge proof is the ability of a person to prove information (the prover) to someone else (the verifier) that they possess information without actually revealing the information to the verifier.

ZK proofs use a combination of number theory, advanced mathematics, and cryptography. They were first invented in 1985 and used for small problems, but due to the inefficiency of the applications, it was hard to build substantial solutions until the introduction of SNARKs in the early 2010’s.

You use some simple ZK systems every day in web3. For example, you use ZK proofs every time you sign an on-chain transaction: you prove that you possess the private key to your wallet without revealing what the private key is.

Every valid ZK proof must satisfy these criteria:

1. Completeness: the protocol always returns “true.”
2. Knowledge Soundness: it is impossible to fool the protocol to verify a proof when you do not know the secret information
3. Zero-knowledge: the verifier learns nothing about the secret statement other than if it’s true or false.

So, how do ZK proofs actually work?

One common way of understanding how it works is the example of the Ali Baba cave described by Jean-Jacques Quisquater in a paper published in 1990.

Peggy is the prover and Victor is the verifier. In the story, there is a cave shaped like a ring, with two paths to get to the back. There is a magic door in the back blocking the other path that can only be opened with a secret word. Peggy knows the secret word to open the door, which means she can go in and out of the cave freely through either pathway in the ring-shaped cave.

Victor wants to know if Peggy knows the secret word, but Peggy doesn’t want to tell him the word. So, they label the two paths in and out of the cave—A and B—and Victor stands outside the cave. He shouts the name of the paths at random and Peggy has to come outside using that path. The fact that she can come outside through both ways shows that she can go in and out of the magic door in the back that separates them, and therefore knows the secret word.

If they keep doing this over and over, Victor can conclude that it’s extremely likely that Peggy does in fact know the secret word to get through the door.

Let’s say Victor only shouted path B, and that happened to be the one that Peggy entered through. Then she wouldn’t have to go through the magic door and take path A, and therefore he wouldn’t be able to prove that she knows the secret word. This is why testing random options is extremely important in ZK proofs.

Why use zero knowledge proofs?

Zero knowledge proofs are important for blockchains to function, as they allow them to utilize secret information on otherwise public system with no compromises to the system security.

Again, a simple example of it can be that users do not want to revel their private keys every time they sign a transaction, or a more complex example would be where voters do not want to reveal who they voted for.

In all these scenarios, we need to guarantee that we know some secret data, and that this data satisfies a requirement. One way of understanding this is the use case of proving your age. Let’s say you go to a bar and have to prove to the bartender that you’re over the legal drinking age in your country.

Right now, you have to share your birthdate, and your ID also happens to have tons of other personal information on it. But the reason we show that ID is really only to convince the bartender that we have an official ID, the photo on it matches our face, and the age is over the age limit.

We do not need to show the exact birthdate, photo, or ID number. With ZK proofs, we can craft a proof that we meet all criteria, without disclosing any other information. Thus, the verifier has Zero Knowledge. This preserves privacy for the prover.

While the use case above isn’t practically possible yet, we are moving ever closer, with proposals such as ZK-cred. And it’s also a great way of understanding the power of ZK proofs and how they could be applied in the future.

Use cases of zero knowledge proofs

A few use cases of ZK technology include private blockchains, cheap and anonymous voting for DAOs, private finance, on-chain gaming, private social networks and even a completely private internet in the future.

You can use ZK proofs to build entirely private blockchains. “This is becoming possible right now,” said Artem. These private chains could keep all your transaction and financial data completely anonymous.

Another use case is in DAOs. Gasless, private voting in DAOs is the area of ZK that the team is currently exploring with the OVOTE and BatRaVot protocols, which we’ll describe below.

They wanted to develop a way for DAO members to cast votes off-chain and have automatic execution on-chain, saving gas fees and introducing the possibility for completely private voting in the future.

So, they introduced OVOTE: offchain voting with onchain trustless execution and BatRaVot: scalable trustless voting on Ethereum. We’ll go into the details below.

Artem also mentioned blockchain gaming as one area that could benefit from ZK.

“The problem with games on the blockchain is that everyone will know the inventory you have and which information you know, because everything would be public,” he said.

This isn’t ideal in a game where you’re interacting and competing with other players. Then you could win by just looking up what the other competing players have done, and follow their steps. This is cheating, and thus obviously is far from ideal.

But with ZK technology, you can create a private state for each player. “There would be information that only the player would know, and the player could prove that they acquired for example a very rare super artifact by playing the game fairly,” he said.

Private on-chain assets are another area with potential. Right now, it’s hard to keep on-chain assets private without using a mixing service like Tornado Cash or splitting your tokens across multiple wallets. And even then, it’s still traceable back to your original wallet. But, ZK opens up the possibility for complete private finance on-chain.

“Using ZK for something like guaranteed loans would be interesting,” he said. “You would guarantee that the person can pay it off without disclosing their assets.”

Even private social networks and a completely private internet are possible with ZK.

“With the amount of IoT devices (Internet of Things) and ubiquitous computing around us, privacy on the internet becomes more and more necessary,” he said.

Current challenges for ZK

While there are many exciting developments in ZK research right now, there are a few challenges that slow down the industry.

Large amounts of computing power are necessary

The ZK field is very early. Even though the concept of ZK Proofs was invented in the 1980’s, it wasn’t feasible to perform the computations for considerable problems until the early 2010’s because this was just too demanding for computational resources.

This is because every proof needs to convert the statements into a format of circuits, and then prove that all circuits are correct. This can take hours.

For example, to prove a statement that two numbers add up to zero, “you need to do one thousand more additions just to generate the proof. So it’s very hard for complex statements,” said Artem. “The proof itself might be around a few bytes, but the memory to generate the proof is in the gigabytes.”

This makes innovation hard, because teams need to rent servers to have enough computation power.

“But, progress comes in two directions,” said Artem. Not only does hardware capacity grow every year, but ZK researchers are increasing efficiency in their protocols. So, the problem of computation could become a thing of the past very soon.

Many research directions prevent a common standard from emerging

There are lots of innovations happening, but that prevents a common standard from emerging. The field never stops changing.

Artem compared it to how the development of computers looked in the 1970’s before common languages and standards came about.

The innovation is a good thing, but combining research power into the same languages and systems makes innovation in those specific areas faster, rather than spreading it out across many solutions.

A high level of expertise is required to work in the field

To work in the ZK space, you need a very high amount of expertise in fields like mathematics, number theory, and cryptography.

The systems are inflexible and easily breakable, too. “It’s very important to ensure you’re doing the right thing,” said Artem. He described how even small adjustments can mess up the system if you’re not careful.

“When I was building BatRaVote, a few times I slightly deviated from the original requirements, and an issue was identified based on that,” he said.

The learning curve to get into the field is very high, which can slow development.

ZK-SNARKs: a new paradigm in ZK technology

ZK proofs can be slow and expensive because of the high computational power required. But the advent of ZK- SNARKs allow you to apply ZK proofs to any computer program, with no need to generate a proof specific for a particular use case.

SNARK stands for “succinct non interactive argument of knowledge.” They are universal proof statements that can be used out of the box to allow you to prove almost any statement. Basically, you can write any program you want, turn it into a statement, and prove the statement to the verifier.

“Snarks opened up a new paradigm,” said Artem. They brought a lot more attention to the ZK space, which has helped grow research and innovation.

Zcash was the first adopter of ZK-SNARKs in the crypto space. Zcash has been called “the https of blockchains.” It’s a Bitcoin fork that uses SNARKs for anonymous, or “shielded,” transactions.

Building private organizations with gasless voting at Aragon: OVOTE and BatRaVot

Voting on-chain in DAOs can be expensive, which deters voters from participating and can weaken community sentiment if fewer people have a say in key decisions. But on-chain voting is a critically important component of DAOs, because it’s trustless and universally verifiable by everyone.  

So, the Aragon ZK Research Guild set out to solve this problem and build gasless voting with on-chain execution.

“We built OVOTE, which is very similar to ZK Rollups, but instead of doing it for transactions, we built it for votes,” said Artem.

Here’s how OVOTE works:

When you want to vote, the program creates a ballot rather than a transaction. The ballot has information about your wallet, what you want to vote for, and a small proof. You send this ballot to an intermediary called an aggregator. The aggregator puts together all the votes and sends them to the smart contract, which drastically reduces the gas cost. The aggregator pays the gas fees, not the voters.

The team also developed BatRaVot, which stands for Batched Ratified Voting.

“They operate quite similarly. The key difference is the zero knowledge proof system we use,” said Artem. “For BatRaVot we used a lightweight, custom-built solution.”

BatRaVot is about two times more efficient than on-chain voting in terms of gas cost. It also has different voting options, such as delegated voting. And, it can be extremely flexible with the data you put into it.

“The fact that we do most computations off-chain means we have a lot of flexibility in how we support data. So you could vote with NFTs and wouldn’t need to change the contract much,” he said.

Artem even noted that you don’t need an Ethereum address to vote in BatRaVot. The protocol is agnostic to the data coming in.

Using ZK to build private DAOs

Right now Aragon uses ZK for reducing the cost of votes, but the next step for the team is to use ZK for privacy.

“The very ambitious next step would be making DAOs private. Not just the voting, but the actual internals of the DAO.”

The team plans to integrate ZK into voting protocols at Aragon, and eventually they could even create “ZK DAOs,” as Artem calls them.

“ZK DAOs make a community private, even on a public internet. It doesn’t feel right when you want to vote in an election and not even the community members can see what you’re voting on. So you need a private space.”

He noted that token-gated systems right now are not provably secure and easily hackable. “If you’re a Discord admin you can always get in,” he said.

What’s next for Aragon ZK Research

Next up for the team is an audit to test the security of both OVOTE and BatRaVot.

“It’s hard to say how secure it is until we do an audit, and audits are hard because there aren’t many specialists in this field yet,” he said.

The team is also exploring the possibility of aggregator attacks. “What if none of the aggregators accepted your vote?” he said. “It’s important to offer different ways to submit votes. And, people can even become their own aggregators, so that’s another way to solve the problem.” This is similar to the issue of validator attacks on the Ethereum blockchain.

After audits, they’ll look into helping integrate it into the new aragonOS  and then start working on private voting.

“We could implement it sometime this year,” he said, and they are already working on it today.

To stay up to date on the work from the Zero Knowledge Guild, check out their blog and Twitter account!

--

Aragon is building the future of decentralized governance for Web3 communities & organizations. See the latest at aragon.org, subscribe to our monthly newsletter, join the conversation on Discord, or follow us on Twitter.

Docs | YouTube | Telegram | Github | Reddit | Linkedin | Forum