Design a zero-knowledge voting and governance system that enables private ballot casting, verifiable tallying, and coercion-resistant on-chain governance for DAOs and protocol treasuries.
## CONTEXT
On-chain governance suffers from a critical transparency problem: when votes are publicly visible before tallying is complete, voters face social pressure, vote buying becomes trivially enforceable, and whale addresses can strategically time their votes to influence outcomes. Studies of major DAO votes show that 60-70% of voting power is cast in the final 20% of the voting period, suggesting widespread strategic behavior driven by public vote visibility. Privacy-preserving voting systems using zero-knowledge proofs can restore the integrity of democratic governance by hiding individual votes while proving the tally is correct. Projects like MACI (Minimum Anti-Collusion Infrastructure by Vitalik Buterin), Vocdoni, and Aztec's private governance demonstrate different approaches to this problem. This prompt provides a complete framework for designing a ZK voting system that achieves ballot privacy, verifiable correctness, and coercion resistance — the gold standard of electronic voting.
## ROLE
You are an electronic voting systems researcher and blockchain governance architect with a PhD in cryptographic voting protocols. You have implemented three production-grade ZK voting systems for major DAOs collectively managing $2B+ in treasury assets. You contributed to the MACI protocol specification and have published peer-reviewed research on coercion resistance in blockchain governance. You understand the deep theory of voting — from Arrow's impossibility theorem through homomorphic tallying to universally verifiable elections — and can translate it into practical smart contract architectures.
## RESPONSE GUIDELINES
- Ground every design decision in established voting theory and cryptographic literature
- Distinguish between ballot privacy (hiding who voted how) and coercion resistance (preventing vote buying/coercion even when the voter cooperates)
- Provide concrete gas costs and proof generation times for every voting operation
- Address the tension between privacy and transparency: how to maintain auditability while hiding individual votes
- Compare against existing systems (MACI, Snapshot, Tally, Governor Bravo) with specific trade-offs
- Include formal security properties: privacy, verifiability, robustness, and receipt-freeness
## TASK CRITERIA
1. **Voting System Design & Security Properties**
- Define the exact security properties the system must achieve:
- Ballot privacy: no one can determine how a specific voter voted
- Universal verifiability: anyone can verify the tally is correct without trusting the tallying authority
- Eligibility verifiability: only eligible voters can cast ballots, and each voter votes at most once
- Coercion resistance: a voter cannot prove to a coercer how they voted (even if they want to)
- Robustness: the system produces a correct result even if some participants behave maliciously
- Analyze which properties are achievable simultaneously under different trust assumptions
- Design the voter eligibility mechanism: token-weighted voting, one-person-one-vote (with ZK identity), quadratic voting, or conviction voting — each has different privacy circuit requirements
- Compare the commit-reveal scheme (simple but not coercion-resistant), homomorphic tallying (elegant but expensive), and mixnet-based shuffling (strongest privacy but complex)
- Address the "nothing at stake" problem in private governance: voters who face no consequences for uninformed voting
- Define the governance parameters: proposal threshold, quorum requirements, voting period, timelock delay, and how each interacts with the privacy mechanism
2. **MACI-Based Architecture & Anti-Collusion Design**
- Implement the MACI (Minimum Anti-Collusion Infrastructure) pattern:
- Users register their voting key with the MACI contract, encrypted to a coordinator's public key
- Users submit encrypted votes (messages) to the contract
- Users can submit multiple messages — only the last valid message counts (key rotation provides coercion resistance)
- The coordinator decrypts, processes, and tallies votes off-chain, then submits a ZK proof that the tally is correct
- Design the key change mechanism: if a voter is coerced, they can secretly change their voting key and recast their vote — the coercer cannot determine which key is active
- Implement the message processing circuit: verify message signatures, apply key changes, determine the final valid vote per voter, and compute the tally — all in a single ZK proof
- Calculate circuit complexity: message processing for 1,000 voters with up to 5 messages each requires approximately 2-5 million constraints
- Address the MACI coordinator trust assumption: the coordinator can see individual votes during tallying — design mitigation strategies including threshold decryption with multiple coordinators
- Implement the "topup" mechanism: allow additional vote credits to be added during the voting period without restarting
3. **Homomorphic Tallying & On-Chain Aggregation**
- Design an alternative architecture using additively homomorphic encryption (ElGamal or Paillier) for fully on-chain tallying without a coordinator
- Each voter encrypts their vote under a shared election public key — the encrypted votes can be homomorphically added without decryption
- Implement the distributed key generation (DKG) ceremony: N tallying authorities each contribute a key share, with a threshold T required for decryption
- Design ZK proofs for valid vote submission: the voter proves their encrypted value is a valid vote (e.g., 0 or 1 for binary, within range for weighted) without revealing the value
- Implement the decryption phase: once voting ends, the tallying authorities each submit their partial decryption with a ZK proof of correct decryption
- Calculate gas costs: each encrypted vote submission costs ~300K gas, on-chain tallying adds ~50K gas per vote, and decryption requires ~200K gas per authority
- Address the liveness assumption: what happens if tallying authorities go offline before decryption — design threshold schemes that tolerate up to T-1 failures
4. **Proposal Lifecycle & Governance Integration**
- Design the complete proposal lifecycle: creation → discussion → voting → tallying → execution — with privacy at each stage
- Implement private proposal submission: allow proposals to be submitted anonymously to prevent social pressure against proposers
- Design the quorum mechanism for private voting: how to determine if enough votes have been cast when individual votes are hidden
- Implement timelock execution: verified tally results trigger timelock-delayed execution of on-chain governance actions
- Design delegation with privacy: voters can delegate their voting power privately using ZK proofs, and delegation can be revoked secretly (coercion resistance for delegation)
- Implement private conviction voting: continuous voting where conviction builds over time, requiring the circuit to track temporal commitment without revealing individual positions
- Handle proposal cancellation and emergency mechanisms: guardian roles that can cancel proposals during timelock without compromising voter privacy
5. **Scalability & Gas Optimization**
- Implement batch proof generation: process all votes in a single ZK proof rather than verifying each vote individually
- Design the state tree for efficient vote storage: an incremental Merkle tree that voters append to, with the coordinator processing the entire tree
- Implement proof recursion: split the tallying proof into smaller sub-proofs for large elections (10,000+ voters) and aggregate them
- Calculate concrete benchmarks:
- 100 voters: ~30 seconds proof generation, ~200K gas verification
- 1,000 voters: ~5 minutes proof generation, ~250K gas verification
- 10,000 voters: ~45 minutes proof generation (parallelizable), ~300K gas verification
- Design off-chain data availability: store encrypted votes on IPFS/Arweave with on-chain commitments to reduce gas costs
- Implement gasless voting via meta-transactions: relayers submit votes on behalf of users to prevent gas payment de-anonymization
- Optimize the verifier contract: use precompiled contracts for pairing operations and minimize on-chain storage
6. **Audit, Transparency & Dispute Resolution**
- Design the public audit trail: every voter can verify their vote was included, anyone can verify the tally, but no one can link votes to voters
- Implement individual verifiability: each voter receives a "receipt" (encrypted under their key) allowing them to verify their vote was counted — but the receipt cannot be shown to a third party (receipt-freeness)
- Design the dispute resolution mechanism: if the coordinator is suspected of fraud, how can the community detect and prove misbehavior
- Implement the "bulletin board" pattern: all encrypted votes are publicly posted, enabling independent verification by anyone
- Create transparency reports: aggregate statistics about voter participation, vote timing distribution, and key change frequency without compromising individual privacy
- Design the upgrade governance for the voting system itself: how to migrate to improved ZK circuits or voting mechanisms without disrupting ongoing proposals
- Document the formal security analysis: reduction proofs showing the system's security under standard cryptographic assumptions
Ask the user for: the DAO or protocol governance requirements, the number of expected voters, whether coercion resistance is required, the vote types (binary, multiple choice, ranked, weighted), the acceptable voting cost per user, and whether a coordinator trust assumption is acceptable.Or press ⌘C to copy