The system uses “time-lock puzzles” to encrypt the contents of votes, making them unreadable until balloting has finished.
Venture capital fund Andreessen Horowitz, also known as A16z, has released a Solidity library that can be used for anonymous voting on Ethereum. Called “Cicada,” the library prevents an individual voter’s choice from being known before polling ends. When combined with zero-knowledge group membership systems like Semaphore, it can also make the identity of the voter permanently unknowable, according to a May 24 blog post from A16z engineer Michael Zhu.
Cicada relies on time-lock puzzles, a type of cryptography that allows users to encrypt secret values that can only be decrypted after a specific period of time has passed, Zhu stated.
These puzzles have been around since 1996. But before 2019, they would have required users to reveal their secret values once the time period had passed. In voting systems, this could have caused problems with users submitting votes and then going offline, preventing all the votes from being countable.
In 2019, the concept of “homomorphic” time-lock puzzles was proposed by cryptographers Giulio Malavolta and Aravind Thyagarajan. This allowed the puzzles to be added together to produce a final puzzle that was much easier to solve than the sum of the individual puzzles. The solution to the final puzzle reveals only the sum of the individual values without revealing the individual values making up this sum.
According to the A16z post, Cicada uses these homomorphic puzzles, allowing votes to be counted even if users go offline.
When attempting to transfer Malavolta and Thyagarajan’s system to the blockchain, A16z researchers ran into an obstacle to creating a fair voting system: Each choice needed to be encoded as a boolean value of “1” or “0.” This meant that attackers could try to increase their voting power by incorrectly encoding the vote — by encoding “100” as their value, for example.
To solve this problem, Cicada requires voters to submit a zero-knowledge proof of ballot validity along with each ballot, the post said. The proof shows that the vote was encoded correctly, but without revealing the contents of the vote.
Cicada only prevents votes from being known while the poll is being conducted. Once the “poll has closed” or the time-lock period has passed, any person can determine the contents of a vote by brute-forcing the solution to the puzzle. However, A16z suggested that this problem can be solved by combining Cicada with zero-knowledge group membership systems like Semaphore, Semacaulk or zero-knowledge state proofs. In this case, brute forcing the puzzle will only reveal that the vote was cast by an eligible voter but will not reveal the credentials used to prove the voter’s eligibility.
As an example, Zhu provided a link to a sample contract produced using Cicada that also relies on Semaphore to prove voter eligibility.
Voting systems have long been a component of decentralized autonomous organizations (DAOs), the governing bodies that often manage blockchain apps. But in most cases, DAOs use tokens to represent votes, which means that individual users can have an outsized influence if they hold a large number of tokens. For example, on May 22, an attacker took control of Tornado Cash by casting extra votes on a malicious proposal, using it to drain all of the governance contract’s funds. The attacker later offered to give back control to users.
Waves founder Sasha Ivanov has argued that DAOs must move to a more democratic voting system if governance attacks like these are to be avoided.