[RFC]: Switch Snapshot space to shielded voting/secret ballots using Shutter threshold encryption

Title: Switch Snapshot space to shielded voting/secret ballots using Shutter threshold encryption

Submission Date: 27.10.2022

Simple Summary

This is a proposal to Euler DAO to toggle on encryption/shielded voting in the Snapshot admin settings. “Shielded voting” is a Snapshot feature using Shutter network’s threshold encryption DKG and keyper set and is developed by Snapshot and Shutter in tandem. More on the release of the feature here:
Snapshot’s Twitter thread about Shutter Governance & https://snapshot.mirror.xyz/yGz91njKbw-sXsnAT6RkoMzPwvuddZritz37h1OWO8o

Abstract

The proposal focuses on the introduction of the Shutter Governance to Euler DAO. Shutter Governance enables Shielded Voting to be set up when voting on the Snapshot platform. We think shielded/secret ballot voting is superior to open voting in many ways, especially around preventing strategic voting/misbehavior and voter apathy, factors that, in our view, negatively affect the overall voting structure in the DAO environment. Above all, we believe that Shutter Governance will restore awareness in the participation of the individual for the good of the whole and bring positive, democratic values. The use of Shutter Governance is entirely free of charge, and it only takes a couple of clicks from the admin side when setting up the proposal.

About Shutter

Aside from Shutter Governance, Shutter Network is an open-source project that aims to prevent front-running and malicious MEV on Ethereum by using a threshold cryptography-based distributed key generation (DKG) protocol.

MEV and front running are recognized to be among the final unsolved fundamental issues in the blockchain space. Ethereum is vulnerable mainly because of the miner’s ability to arbitrarily reorder transactions in the blocks they produce. More about Shutter and the MEV problem here: Rolling Shutter: MEV protection built into Layer 2

Motivation

At Shutter, combating front-running and malicious Maximal Extractable Value (MEV) by threshold encryption remains our core mission, however, we could not pass up the opportunity to extend the positive effects of our solution to other areas of the Ethereum environment. This is why we developed Shutter Governance, a tool for governance platforms which allows the use of shielded voting for their users.

We think by default - similarly to how voting works for political elections - all DAO voters for a given DAO vote should be able to access the same information beforehand. Shouldn’t we, who are using crypto governance, also have that option?

To be more specific, these are some of the benefits that we’re hoping shielded voting adds to the voting process:

  • Pre-voting information symmetry,
  • And added layer of censorship resistance,
  • partial privacy

This might sound a little theoretical, so let’s have a look at these two examples:

  1. Consider a contentious vote in which a minority is pushing the poll early in one direction. Voters that don’t have a strong opinion already formed might see this and think the outcome is already decided. Thus they’ll be discouraged from voting and also from researching/forming an opinion. This could then lead to the vote going in favor of the minority due to voter apathy, which would not be a good outcome, given that the goal of the poll is to represent the majority opinion.

  2. Consider a whale with malicious intent observing and waiting for a vote to play out. Only to come in at the last minute, borrowing/buying just the right amount of tokens needed to sway the vote, and doing this at a time when there’s no more time for the rest of the community to react.

In both of these scenarios, having the vote shielded could improve the situation massively. The first example covers how this feature can help with incentivizing people to vote, leading to a higher voter turnout. In the second scenario, we show how shielded voting protects the proposal from manipulation.

Specification & Implementation

With Shutter Governance, votes are encrypted during the voting period and revealed after the poll closes, similar to secret ballot political elections in which we would not like to reveal the voting results before the polling stations close. To vote on a proposal with Shutter Governance, the user first requests the Eon key with the Keypers signature, there is then a signature check against the Keyper registry to prevent the system operator from giving out a fake key that they control. After this step, the votes get encrypted with the Proposal key, derived from the Eon key and the proposal ID.

Shutter Governance had its official launch on the Snapshot platform on October 13, 2022. From then on, all Snapshot DAOs have the option to choose Shutter as a voting privacy option in the Snapshot admin settings. With this in mind, the use of Shielded Voting does not require any work or technical input from anyone at DAOs, the entire solution is fully implemented on Snapshot and whether organizations will use it is just a matter of choice.

Voting

Yes - Euler DAO should start using Shutter Governance for pools at Snapshot

No - Euler DAO should not start using Shutter Governance at pools at Snapshot

4 Likes

Seems like there are some good reasons for introducing shielded voting. What would the potential negatives/“costs” be for turning on shielded voting?

Also, from the screenshots, looks like you can still see if a quorum is being reached mid-vote. Is that correct?

2 Likes

Shutter appears to fix a lot of the downsides of real-time public voting on Snapshot. I’m excited to see it in practice for Euler.

1 Like

Hey! Thanks for the proposal. While it could potentially solve some problems related Snapshot real-time public voting, I have some concerns regarding the Delegate system. Currently the delegate system is designed in a such a way that people delegate votes to a particular delegate whose “voting programme” seem right. So by following the way this delegate vote users are able to verify if this delegate cope with his/her programme. In case of a secret ballot I’m afraid that the very sense of the delegates system could be undermined as users will to longer be able to check the votes of the delegate they chose.

2 Likes

Maybe I’m misunderstanding the vote reveal process on Shutter. @0xJakub , could you clarify whether it is only the outcome of the vote, or also the actual votes themselves, that are revealed at the end of the voting period?

Some privacy-preserving protocols have a “viewing key” system that allows a user to selectively share additional detail about their activities (e.g. for tax reporting or other compliance purposes). Is something like this implemented or possible in Shutter Network? It could potentially address @Raslambek 's legitimate concern here by allowing delegates to share a viewing key for their voting activity for anyone who wants to review their voting history (though to retain the advertised benefits of Shutter, such a system would ideally only report on completed votes and not active ones, which could be a headache to implement).

1 Like

Yes, no costs. Negatives we see currently are only that the integration is at quite an early stage, please see potential risks with this here: Shutter brings shielded voting to Snapshot

The use of Shutter Governance focuses on encrypting the result of the vote only while it is taking place. Once the pool is over, all DAO members will be able to see who voted and how they voted.

At the end of the vote, both the result of the vote and the individual votes are revealed.

As I replied to @Raslambek, the use of Shutter Governance is to encrypt the votes only during the voting period, once the voting is over both the result and the individual votes will be visible.

Shielded voting doesn’t have a viewing key functionality yet, but that would be cool! That being said, as the votes are revealed after the voting period, we don’t see this as an urgent feature.

Thanks for clarification, it addresses all my concerns indeed !

My main concern with this was that if votes were not revealed post vote completion then this would be a massive hit against transparency. At the moment, the way the voting system works allows for people to contact others who have already voted and ask for clarifications as to why they have voted in such a way. I think this is a useful ability and as such I’m not sure I support shielded voting. In my eyes, it minimises transparency even if the way people vote in the end is still disclosed.

Nonetheless I look forward to discussing this more and it is clear there is some demand for it. I think this is coming close to passing the temperature check.

got it, appreciate the info! I would support this proposal based on what I’ve read here.

1 Like

We also think that if votes were not revealed, transparency would be under great threat.

The argument relating to the current possibility of asking for a reason of voting a certain way is perfectly reasonable, but as I said before, the whole idea is to prevent “the crowd behaviour” and motivate people to make their own decision resulting from research as well as from premature community discussion of the proposal.

Thank you for your comment!

2 Likes