Private voting and whistleblowing in Ethereum using Semaphore

December 20, 2019

In a previous post, I wrote a technical explanation of Semaphore, a zero-knowledge privacy gadget built on Ethereum. Since then, we have collaborated with other teams in the Ethereum community and beyond to build simple zero-knowledge applications. In this blog post, I will describe two of these applications and how use Semaphore to achieve privacy for their particular use cases.

A recap on how Semaphore works

Consider Alice, Bob, and Charlie, who are users of an application built on Semaphore. They each register an identity into the application contract. Later, Alice can prove that she is part of the set of registered identities {Alice, Bob, Charlie}, without revealing that she is Alice. When she does so, she can broadcast an arbitrary string. Note that the contract ensures that she can only do so once within the context of an external nullifier. A simple way to understand an external nullifier is to think of it as a topic, towards which each user may only respond once. It serves different functions depending on the nature of the application which uses Semaphore.

Private voting

OneOfUs is an anonymous voting platform which allows verified event attendees to anonymously vote on topics without revealing their real identities. With the generous assistance of the Proof of Attendance Protocol (POAP) team, we built and integrated this app with POAP ERC721 tokens in time for Devcon 5, where we used it during a workshop to educate attendees about Semaphore and zero-knowledge proofs.

The basic idea behind this app is that anyone who owns a POAP token associated with Devcon 5 can register an identity in a Semaphore smart contract. Anyone can post questions, such as “Should Devcon 6 be held in Buenos Aires?”, and the hash of the question acts as an external nullifier in Semaphore. Each user may then broadcast a signal (for instance, “Yes” or “No”) towards said external nullifier by producing a zero-knowledge proof that they are part of the set of registered attendees, without revealing their original Ethereum address or token ID.

We initially built a version of this app in a decentralised fashion, where people who posted questions would have to pay some Ether to the contract, and anyone who broadcasts a signal would receive a small fee. This would reward transaction relayers so that actual users would not have to pay gas to post their answers and thereby lose anonymity.

Although we had completed the smart contract code for this version, we decided to pivot to a centralised version in order to save time and reduce complexity. It was a client-server app which mimicked the smart contract logic and stored data entirely off-chain. This allowed us to conduct a smooth workshop where some attendees were able to register themselves and vote on questions.

Private whistleblowing

More recently, Lai Ying Tong, Brendan Graetz, Barnabé Monnot, myself, and others built a simple whistleblowing application using Semaphore as an entry to the Yale Open Climate Collaboration. One of the goals of the hackerthon was to explore ways that smart contract technology can lead to better accounting and reporting of climate emissions. Our work built on the concept of using economic incentives to encourage executives of carbon-emitting corporations to blow the whistle if their company submits fraudulent data. A trusted referee would investigate such reports, and if they were to find evidence of incorrect reports, they would confiscate a deposit which the company locked up using a smart contract.

Semaphore allows the whistleblower to remain anonymous and prevent retaliation. The way it works is as such: each executive registers their identity into a smart contract. Every day, the company submits climate data, deposits some funds, and adds a unique identifier of the dataset as an external nullifier in the contract. When a whistleblower submits a report, they broadcast a signal to the external nullifier associated with said dataset. This freezes the company’s deposits, pending the referee’s intervention. The whistleblower also receives a reward.

Conclusion

We hope that these sample applications can inspire more members of the Ethereum community to leverage Semaphore for various real-world use cases. An audit of the Semaphore contracts and circuits will be released soon, and a secure multi-party trusted setup will begin when we complete the infrastructure for a circuit-specific ceremony. When these are done, Semaphore will be production-ready and will hopefully be a useful part of the privacy landscape on Ethereum.