Blog
 / 
fhEVM

Confidential DAO Voting Using Homomorphic Encryption

October 12, 2023
  -  
Clément Danjou
This is also a heading
This is a heading
This is also a heading

In this blog post, you will discover how homomorphic encryption can enable the creation of confidential Decentralized Autonomous Organizations (DAOs). You will get a practical guide on implementing a confidential DAO with Zama's fhEVM.

What’s a DAO and why do it confidential?

A DAO is a self-governing entity on a blockchain that leverages a governance token to enable token holders to propose and vote on decisions related to the organization. Typically, a DAO consists of two primary smart contracts: the Governor contract, which manages vote proposals and voting processes, and a Token contract that maintains a registry of token holders.

Various voting models exist, such as quorum voting or quadratic voting but regardless of the voting paradigm, the ability to cast a vote depends on token ownership, representing a stake in the project.

In a traditional DAO, voting records are publicly accessible, revealing each user's token holdings and voting choices. In contrast, a confidential DAO employs a confidential token, maintaining the secrecy of both the token quantities and individual votes.

For the purpose of this article, let’s focus on the Compound Protocol as the point of reference.

Token

In the context of this article, you will transform the COMP token contract into a confidential token contract.

The fhEVM introduces new encrypted data types like [.c-inline-code]ebool[.c-inline-code] and [.c-inline-code]euint32[.c-inline-code]. You'll proceed to update properties, including [.c-inline-code]totalSupply[.c-inline-code], [.c-inline-code]balances[.c-inline-code] and others, to use the [.c-inline-code]euint32[.c-inline-code] data type.

/// @notice Total number of tokens in circulation
    euint32 public totalSupply = TFHE.asEuint32(0);

/// @notice Allowance amounts on behalf of others
    mapping(address => mapping(address => euint32)) internal allowances;

/// @notice Official record of token balances for each account
    mapping(address => euint32) internal balances;

/// @notice A checkpoint for marking number of votes from a given block
    struct Checkpoint {
        uint32 fromBlock;
        euint32 votes;
    }

A token used within a DAO is close to a traditional ERC-20 token with some distinctions. Rather than solely monitoring a user's token balance at a specific moment, it maintains a historical record of the number of tokens held by each user over time. In the context of a proposal introduced at block N, users are eligible to vote on it using the token holdings they had at that particular block.

The token contract incorporates two methods for managing this historical data: [.c-inline-code]moveDelegates[.c-inline-code] and [.c-inline-code]writeCheckpoint[.c-inline-code].

Whenever a mint, transfer, or delegate takes place, the contract triggers the [.c-inline-code]moveDelegates[.c-inline-code] function to create a checkpoint reflecting the user's token holdings at the current block number.

Transitioning this function to use encrypted integers is relatively straightforward, as illustrated. The primary distinction lies in replacing the default [.c-inline-code]0[.c-inline-code] with [.c-inline-code]TFHE.asEuint(0)[.c-inline-code] to obtain an encryption of zero.

function _moveDelegates(address srcRep, address dstRep, euint32 amount) internal {
        if (srcRep != dstRep) {
            if (srcRep != address(0)) {
                uint32 srcRepNum = numCheckpoints[srcRep];
                euint32 srcRepOld = srcRepNum > 0 ? checkpoints[srcRep][srcRepNum - 1].votes : TFHE.asEuint32(0);
                euint32 srcRepNew = srcRepOld - amount;
                _writeCheckpoint(srcRep, srcRepNum, srcRepOld, srcRepNew);
            }

            if (dstRep != address(0)) {
                uint32 dstRepNum = numCheckpoints[dstRep];
                euint32 dstRepOld = dstRepNum > 0 ? checkpoints[dstRep][dstRepNum - 1].votes : TFHE.asEuint32(0);
                euint32 dstRepNew = dstRepOld + amount;
                _writeCheckpoint(dstRep, dstRepNum, dstRepOld, dstRepNew);
            }
        }
    }

Apart from the function signature, there's no need to make any changes to the [.c-inline-code]writeCheckpoint[.c-inline-code] function: [.c-inline-code]writeCheckpoint[.c-inline-code] will store the encrypted number of votes for a specific block.

Aside from changes in methods like [.c-inline-code]balanceOf[.c-inline-code] or [.c-inline-code]transfer[.c-inline-code] that were already discussed in the ERC-20 article and changes in function signatures, the token contract is good to go.

Governor

The Governor contract is responsible for managing proposals and votes. When the token amount is encrypted, you’ll want to keep the vote choice secret as well. To ensure vote confidentiality, we'll make changes to the ciphertext for both the total "for" and "against" votes.

The fhEVM provides a method which acts as a ternary operator on encrypted integers. This method is called cmux. When using [.c-inline-code]TFHE.cmux[.c-inline-code] to assign a value, the result changes, even if the plaintext value remains unchanged. This is useful because each time a vote is cast, both ciphertexts will be updated on the chain.

function _castVote(address voter, uint proposalId, ebool support) internal {
        require(state(proposalId) == ProposalState.Active, "GovernorAlpha::_castVote: voting is closed");
        Proposal storage proposal = proposals[proposalId];
        Receipt storage receipt = proposal.receipts[voter];
        require(receipt.hasVoted == false, "GovernorAlpha::_castVote: voter already voted");
        euint32 votes = comp.getPriorVotes(voter, proposal.startBlock);
        
        proposal.forVotes = TFHE.cmux(support, proposal.forVotes + votes, proposal.forVotes);
        proposal.againstVotes = TFHE.cmux(support, proposal.againstVotes, proposal.againstVotes + votes);

        receipt.hasVoted = true;
        receipt.votes = votes;

        // `support` and `votes` are encrypted values, no need to include them in the event.
        // emit VoteCast(voter, proposalId, support, votes);
        emit VoteCast(voter, proposalId);
    }

In our confidential Governor version, there exists a proposal threshold. Essentially, individuals with fewer than a specific number of tokens are ineligible to propose or cancel a vote. Since the amount of votes is encrypted, you must make adjustments to this verification process.

require(TFHE.decrypt(
    TFHE.lt(proposalThreshold(), comp.getPriorVotes(msg.sender, block.number - 1))
  ),
  "GovernorAlpha::propose: proposer votes below proposal threshold"
);

We are doing a homomorphic comparison between the proposal threshold and the number of votes using [.c-inline-code]TFHE.lt[.c-inline-code] which returns an encrypted boolean value. Once decrypted, you can use it with [.c-inline-code]require()[.c-inline-code] function to revert the transaction if needed.

Conclusion

Transitioning a DAO contract from an unencrypted state to an encrypted one has proven to be a straightforward process. fhEVM offers a user-friendly solution for writing smart contracts with encrypted data and performing homomorphic computations.

You can find Governor contract, Comp contract and more examples on the fhEVM repository. If you want to try fhEVM and write your own contract, we have a documentation, community support and even a bounty program.

Additional links

Read more related posts

Onchain Blind Auctions Using Homomorphic Encryption and the fhEVM

Blind auctions are notoriously hard to do in smart contracts, since all the transaction and states are public... But not anymore.

July 10, 2023
 - 
Clément Danjou
fhEVM
Engineering

Confidential ERC-20 Tokens Using Homomorphic Encryption and the fhEVM

FHE can be used in blockchain to enable confidential smart contracts, where transaction inputs and states remain encrypted.

June 28, 2023
 - 
Clément Danjou
fhEVM
Engineering

Private Smart Contracts Using Homomorphic Encryption

Rand Hindi's talk at EDCON 2023 about "Private Smart Contracts using Homomorphic Encryption".

May 23, 2023
 - 
Rand Hindi
fhEVM
Clément Danjou
July 10, 2023

Onchain Blind Auctions Using Homomorphic Encryption and the fhEVM

Blind auctions are notoriously hard to do in smart contracts, since all the transaction and states are public... But not anymore.

Read Article
Clément Danjou
June 28, 2023

Confidential ERC-20 Tokens Using Homomorphic Encryption and the fhEVM

FHE can be used in blockchain to enable confidential smart contracts, where transaction inputs and states remain encrypted.

Read Article
Rand Hindi
May 23, 2023

Private Smart Contracts Using Homomorphic Encryption

Rand Hindi's talk at EDCON 2023 about "Private Smart Contracts using Homomorphic Encryption".

Read Article
Back to Blog
fhEVM
Libraries
TFHE-rs Concrete Concrete ML FHEVM
Developers
BlogDOCUMENTATION GITHUB FHE resources Research papers CommunityBounty Program Confidential AIConfidential blockchainThreshold key management Service
Company
Aboutintroduction to fheEventsMediaCareers Newsletter LegalContact us
Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn't want the whole world to know, but a secret matter is something one doesn't want anybody to know. Privacy is the power to selectively reveal oneself to the world.If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. If many parties speak together in the same forum, each can speak to all the others and aggregate together knowledge about individuals and other parties. The power of electronic communications has enabled such group speech, and it will not go away merely because we might want it to.Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction. Since any information can be spoken of, we must ensure that we reveal as little as possible. In most cases personal identity is not salient. When I purchase a magazine at a store and hand cash to the clerk, there is no need to know who I am. When I ask my electronic mail provider to send and receive messages, my provider need not know to whom I am speaking or what I am saying or what others are saying to me; my provider only need know how to get the message there and how much I owe them in fees. When my identity is revealed by the underlying mechanism of the transaction, I have no privacy. I cannot here selectively reveal myself; I must always reveal myself.Therefore, privacy in an open society requires anonymous transaction systems. Until now, cash has been the primary such system. An anonymous transaction system is not a secret transaction system. An anonymous system empowers individuals to reveal their identity when desired and only when desired; this is the essence of privacy.Privacy in an open society also requires cryptography. If I say something, I want it heard only by those for whom I intend it. If the content of my speech is available to the world, I have no privacy. To encrypt is to indicate the desire for privacy, and to encrypt with weak cryptography is to indicate not too much desire for privacy. Furthermore, to reveal one's identity with assurance when the default is anonymity requires the cryptographic signature.We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak. To try to prevent their speech is to fight against the realities of information. Information does not just want to be free, it longs to be free. Information expands to fill the available storage space. Information is Rumor's younger, stronger cousin; Information is fleeter of foot, has more eyes, knows more, and understands less than Rumor.We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place. People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes, and couriers. The technologies of the past did not allow for strong privacy, but electronic technologies do.We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don't much care if you don't approve of the software we write. We know that software can't be destroyed and that a widely dispersed system can't be shut down.Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. The act of encryption, in fact, removes information from the public realm. Even laws against cryptography reach only so far as a nation's border and the arm of its violence. Cryptography will ineluctably spread over the whole globe, and with it the anonymous transactions systems that it makes possible.For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. Privacy only extends so far as the cooperation of one's fellows in society. We the Cypherpunks seek your questions and your concerns and hope we may engage you so that we do not deceive ourselves. We will not, however, be moved out of our course because some may disagree with our goals.The Cypherpunks are actively engaged in making the networks safer for privacy. Let us proceed together apace.Onward. By Eric Hughes. 9 March 1993.