diff --git a/src/posts/2026-04-14-resilient-plural-identity.md b/src/posts/2026-04-14-resilient-plural-identity.md index 44e38af..59a2ed2 100644 --- a/src/posts/2026-04-14-resilient-plural-identity.md +++ b/src/posts/2026-04-14-resilient-plural-identity.md @@ -34,7 +34,7 @@ The standard model for on-chain identity follows a three-step dependency chain: 2. A **holder** presents that credential (or a ZK proof over it) to prove an attribute: age, nationality, sanctions-list status. 3. A **verifier** (smart contract, institution, dApp) checks the credential's validity, often by querying the issuer's revocation registry. -Every step depends on the issuer being live and cooperative. [ZKPassport](https://zkpassport.id/) verifies passport NFC signatures issued by governments. [Anon Aadhaar](https://github.com/anon-aadhaar) verifies Indian national ID signatures from UIDAI. [ZK Email](https://prove.email/) verifies DKIM signatures from email providers. [TLSNotary](https://tlsnotary.org/) verifies TLS session transcripts from web2 services. All of these produce strong cryptographic proofs of identity attributes. None of them answer the question: what happens when the entity behind the original credential disappears? +Every step depends on the issuer being live and cooperative. [ZKPassport](https://zkpassport.id/) verifies passport NFC signatures issued by governments. [Anon Aadhaar](https://github.com/anon-aadhaar) verifies Indian national ID signatures from UIDAI. [ZK Email](https://prove.email/) verifies DKIM signatures from email providers. [TLSNotary](https://tlsnotary.org/) verifies TLS session transcripts from web2 services. These systems produce strong cryptographic proofs, while still relying on the original source or issuer model for some trust assumptions. The issuer can fail in several ways. It can shut down (bankruptcy, sanctions, corporate dissolution). It can turn adversarial (mass-revoke credentials, publish false revocation lists, forge credentials for non-holders, refuse new issuance). It can simply go offline. In every case, the holder is left with a credential that cannot be independently verified. @@ -80,7 +80,7 @@ No issuer endpoint is contacted. No registry is queried. The on-chain root is th Two proofs from the same holder, one submitted to Verifier A and another to Verifier B, should look unrelated. No on-chain or off-chain observer should be able to tell they came from the same person. This is what separates useful private identity from tokenized surveillance. Most ZK identity systems fall short of it, either because the credential exposes a persistent identifier during presentation (the holder's pubkey, a hash that is deterministic across scopes), or because the issuer accumulates enough metadata during issuance to correlate later verifications back to a person. -This protocol targets unlinkability on two axes. Across verifiers, the scope-bound nullifier makes the same holder look unrelated to different applications. Across issuance and use, the vOPRF sits at the one point where the identity-source credential would otherwise become a correlation handle, so no single party, including any MPC subset below threshold, sees both sides of the mapping. This was the design goal behind [OpenAC](https://eprint.iacr.org/2026/251) and the motivating reason [TACEO](https://core.taceo.io/articles/taceo-oprf/) puts a vOPRF in the identity path. Without it, identity providers can still watch their users on-chain. +This protocol targets unlinkability on two axes. Across verifiers, the scope-bound nullifier makes the same holder look unrelated to different applications. Across issuance and use, the vOPRF sits at the one point where the identity-source credential would otherwise become a correlation handle, so no single party, including any MPC subset below threshold, sees both sides of the mapping. This was the design goal behind [OpenAC](https://eprint.iacr.org/2026/251) and the motivating reason [TACEO](https://core.taceo.io/articles/taceo-oprf/) puts a vOPRF in the identity path. Without this separation, issuer-side metadata can become a correlation surface. ## Sybil resistance @@ -161,19 +161,19 @@ This is a proof-of-concept with real limitations. Several projects tackle private identity on Ethereum from different angles. Here is where this protocol fits. -[Semaphore](https://semaphore.pse.dev/) (PSE) is the most established private membership proof system. Holders commit an identity to a Merkle tree and generate ZK proofs of membership with nullifiers. It provides the core primitive this protocol extends, but does not enforce sybil resistance at the identity layer: nothing prevents one person from inserting multiple commitments. +[Semaphore](https://semaphore.pse.dev/) (PSE) is the most established private membership proof system. Holders commit an identity to a Merkle tree and generate ZK proofs of membership with nullifiers. It provides the core primitive this protocol extends. -[World ID](https://worldcoin.org/world-id) takes the opposite approach: biometric enrollment via iris scan through a specialized device (the Orb) provides the strongest one-person-one-identity guarantee available. The tradeoff is hardware dependency and centralized enrollment infrastructure, which limits deployment to locations with physical Orb access. +[World ID](https://worldcoin.org/world-id) takes the opposite approach: biometric enrollment via iris scan through a specialized device (the Orb) provides the strongest one-person-one-identity guarantee available. [Self](https://self.xyz/), [ZKPassport](https://zkpassport.id/), and [Human](https://human.tech/) verify identity attributes and generate ZK proofs. Self and ZKPassport focus on passport NFC signatures on mobile. Human aggregates multiple identity signals into a unified score. All three produce strong per-session proofs and serve as viable enrollment sources for this protocol, with the vOPRF layer adding sybil resistance and issuer independence on top. -[zk-creds](https://eprint.iacr.org/2022/878) (Rosenberg et al., 2023) shares the Merkle-tree-as-issuance-list paradigm. Holders insert credentials into a public bulletin board and generate ZK proofs of possession. The approach works with existing identity documents without modification. The key difference is sybil resistance: zk-creds delegates duplicate prevention to the issuance list manager, while this protocol enforces it cryptographically via the vOPRF enrollment nullifier. +[zk-creds](https://eprint.iacr.org/2022/878) (Rosenberg et al., 2023) shares the Merkle-tree-as-issuance-list paradigm. Holders insert credentials into a public bulletin board and generate ZK proofs of possession. The approach works with existing identity documents without modification. [zk-promises](https://eprint.iacr.org/2024/1260) (Shih et al., 2025) extends anonymous credentials with stateful callbacks: issuers can asynchronously update, suspend, or revoke credentials after issuance, enabling reputation systems and moderation for anonymous users. The design targets interactive platform use cases (downvotes, bans, reputation decay) rather than institutional identity attestation. -[OpenAC](https://eprint.iacr.org/2026/251) (EF/PSE) adds unlinkable presentations over existing verifiable credentials (SD-JWT, mDL) with transparent ZK proofs and no trusted setup, compatible with the EUDI Architecture Reference Framework. It assumes a cooperative issuer for credential issuance, which is the assumption this protocol is designed to remove. +[OpenAC](https://eprint.iacr.org/2026/251) (EF/PSE) adds unlinkable presentations over existing verifiable credentials (SD-JWT, mDL) with transparent ZK proofs and no trusted setup, compatible with the EUDI Architecture Reference Framework. -[PLUME](https://aayushg.com/thesis.pdf) (ERC-7524) generates deterministic nullifiers from existing ECDSA keys, allowing Ethereum address holders to prove membership and prevent double-actions without new key material. It reuses existing keys (no enrollment ceremony) but does not support attribute predicates or identity-layer sybil resistance. +[PLUME](https://aayushg.com/thesis.pdf) (ERC-7524) generates deterministic nullifiers from existing ECDSA keys, allowing Ethereum address holders to prove membership and prevent double-actions without new key material. [TACEO](https://core.taceo.io/articles/taceo-oprf/) already runs a distributed threshold vOPRF in production using MPC across 13 globally distributed servers. Their roadmap explicitly targets preventing identity issuers from tracing on-chain usage by verified individuals. This is the same problem we are working on from the enrollment side, and their infrastructure is a natural deployment target for the vOPRF network this protocol requires. diff --git a/src/posts/2026-05-14-resilient-disbursement-rails.md b/src/posts/2026-05-14-resilient-disbursement-rails.md index ff87918..a4e7104 100644 --- a/src/posts/2026-05-14-resilient-disbursement-rails.md +++ b/src/posts/2026-05-14-resilient-disbursement-rails.md @@ -25,7 +25,7 @@ The protocol hides the path from funder to off-ramp deposit. At the off-ramp, th We have run into versions of this in our own work. The [shielded pool](/building-private-transfers-on-ethereum/) and [plasma chain](/private-stablecoins-with-plasma/) we built both treat the depositor and the recipient as the privacy boundary. They make on-chain trace useless to a passive observer. They do not protect a recipient who has to walk to a licensed exchange, hand over a passport, and sell the asset for local currency. Every documented financial-surveillance prosecution pivoted on the KYC'd exchange account, the merchant identifier visible to a domestic bank, or the subpoenaed exchange record. Chain analytics on its own has not deanonymized a specific recipient in any case in the public record. -The constraint set is sharper when recipients live somewhere the authorities are hostile to the funder, the implementing partner, or the recipients themselves. Recipients in Yemen, Afghanistan, Syria, the Rohingya camps, or Russia under the FBK donor crackdown cannot be assumed to have a phone or an internet connection. Implementing partners (NGOs, money transfer operators) get breached, coerced, or inherited by successor regimes. The protocol assumes every party in the path between funder and recipient will eventually be compromised. +The constraint set is sharper when recipients live somewhere the authorities are hostile to the funder, the implementing partner, or the recipients themselves. Recipients cannot be assumed to have a phone or an internet connection. Implementing partners may get breached, coerced, or inherited by successor regimes. The protocol assumes every party in the path between funder and recipient will eventually be compromised. The implementation is [open source](https://github.com/ethereum/iptf-pocs/tree/master/pocs/private-payment/resilient-disbursement-rails), with a detailed [specification](https://github.com/ethereum/iptf-pocs/blob/master/pocs/private-payment/resilient-disbursement-rails/SPEC.md). @@ -35,11 +35,11 @@ The standard model for cross-border humanitarian disbursement is a layered chain The state that lets the chain function under good conditions is exactly what makes it brittle under bad ones. Three failure modes recur in the public record. -**Implementing-partner databases get inherited.** Beneficiary registries from the [Rohingya enrollment program](https://www.hrw.org/news/2021/06/15/un-shared-rohingya-data-without-informed-consent), [Yemen's WFP SCOPE deployment](https://www.thenewhumanitarian.org/news/2019/06/17/un-yemen-rebels-aid-theft-biometrics), the [2021 Afghanistan transition](https://theintercept.com/2021/08/17/afghanistan-taliban-military-biometrics/), the [December 2024 Syria transition](https://www.hrw.org/news/2025/05/12/syria-new-government-restricts-aid-operations), [occupied territories in Ukraine after 2022](https://www.pbs.org/newshour/world/russia-imposes-its-passport-on-occupied-ukraine-coercing-hundreds-of-thousands-into-citizenship), and [Mosul under ISIS occupation between 2014 and 2017](https://www.nrc.no/news/2022/september/iraq-five-years-on-from-the-end-of-the-conflict-up-to-one-million-iraqis-lack-essential-identity-documents) have either been seized or shared with adversarial governments without consent. Compelled disclosure has driven most of the documented humanitarian-data prosecutions. +**Implementing-partner databases get inherited.** Beneficiary registries have either been seized or shared with adversarial governments without consent. Compelled disclosure has driven most of the documented humanitarian-data prosecutions. -**Off-ramps pivot KYC.** [Russia's FBK donor prosecutions](https://en.zona.media/article/2026/04/21/acf_donations) (more than 200 cases as of April 2026), the [Nobitex 2025 KYC dump](https://www.trmlabs.com/resources/blog/inside-the-nobitex-breach-what-the-leaked-source-code-reveals-about-irans-crypto-infrastructure), the [Israeli NBCTF seizure of 189 Binance accounts](https://www.timesofisrael.com/israel-seizes-189-crypto-accounts-linked-to-terror-groups-since-2021-report/), and the [260+ Chinese crypto enforcement cases](https://www.cnbc.com/2021/06/10/china-arrests-over-1100-suspects-for-crypto-related-money-laundering.html) (2021 MPS sweep) all combined on-chain trace with subpoenaed exchange records to identify specific individuals. Chain analytics on its own was insufficient. The KYC process in the exchange was the crucial input. +**Off-ramps pivot KYC.** Certain investigations combined on-chain trace with subpoenaed exchange records to identify specific individuals. Chain analytics on its own was insufficient. The KYC process in the exchange was the crucial input. -**Rails get frozen and civil identity gets weaponized.** Account freezes used as political instruments ([Nigeria EndSARS 2020](https://www.hrw.org/news/2020/11/13/nigeria-punitive-financial-moves-against-protesters) against named protest organisers, [Belarus 2021 to 2022](https://www.amnesty.org/en/latest/press-release/2021/07/belarus-sweeping-closure-of-dozens-of-ngos-as-the-crackdown-on-civil-society-continues/), [Turkey Bank Asya 2016](https://www.bloomberg.com/news/articles/2016-07-18/turkey-halts-gulen-linked-bank-asya-operations-after-failed-coup)) and rail de-risking ([Somali MTO 2013 to 2015](https://www.newstatesman.com/world/africa/2013/11/barclays-vs-dahabshiil-when-somali-money-transfer-company-takes-banking-giant), [Afghanistan Western Union and MoneyGram 2021](https://www.aljazeera.com/economy/2021/9/2/western-union-to-resume-money-transfer-services-to-afghanistan), [Muslim charity de-banking 2014 to 2022](https://www.middleeasteye.net/news/banking-services-withdrawn-4-10-uk-muslim-charities)) show that traditional rails fail under sustained political pressure. State civil-identity systems ([Xinjiang IJOP](https://www.hrw.org/report/2019/05/01/chinas-algorithms-repression/reverse-engineering-xinjiang-police-mass), [Turkey ByLock](https://www.statewatch.org/publications/reports-and-books/bylock-prosecutions-and-the-right-to-fair-trial-in-turkey-the-ecthr-grand-chamber-s-ruling-in-yuksel-yalcinkaya-v-turkiye/), [Pakistan NADRA](https://www.codastory.com/surveillance-and-control/pakistan-biometric-identification-nadra/)) collapse when the state is the adversary. +**Rails get frozen and civil identity gets weaponized.** Account freezes used as political instruments against named protest organisers, and rail de-risking show that traditional rails fail under sustained political pressure. State civil-identity systems collapse when the state is the adversary. The recipient constraint set is the hardest part. Recipients hold tamper-resistant smartcards, cannot run zero-knowledge provers on-card, may have intermittent or no internet, and lose devices at meaningful rates. @@ -138,7 +138,7 @@ A handful of smaller limitations are answered at the operational layer rather th This builds on a few existing lines of work. -[Railgun](https://railgun.org/) with Private Proofs of Innocence is a production shielded-pool deployment on Ethereum mainnet, with the most developed answer to the off-ramp compliance question available today. This protocol's `IShieldedPool` interface is satisfiable by any Railgun-class deployment. +[Railgun](https://railgun.org/) with Private Proofs of Innocence is a production shielded-pool deployment on Ethereum mainnet. This protocol's `IShieldedPool` interface is satisfiable by any Railgun-class deployment. [Privacy Pools](https://privacypools.com/) formalized the association-set model that bounds this PoC's pool-level k-anonymity argument. The reachable anonymity set at the off-ramp is the calling claim contract's sub-tree, which is exactly the association-set framing. @@ -146,7 +146,7 @@ This builds on a few existing lines of work. The stealth-address standards [ERC-5564](https://eips.ethereum.org/EIPS/eip-5564) (address generation) and [ERC-6538](https://eips.ethereum.org/EIPS/eip-6538) (stealth meta-address registry), with deployments at [Umbra](https://app.umbra.cash/) and [Fluidkey](https://fluidkey.com/), establish the recipient-derived-destination pattern. This protocol's stealth derivation runs on-card via HMAC over the master secret, not off-card from a published meta-address. The decision keeps the secret on the smartcard and trades a published-meta-address ergonomic for a tamper-resistance gain. -[Keycard](https://keycard.tech/) is the open-source secure-element wallet reference, running on EAL6+ chips. The `SIGN_VOUCHER` applet here targets a comparable JCOP-class envelope, with EAL4+ AVA_VAN.5 ([BSI-CC-PP-0084](https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/PP/aktuell/PP_0084.html)) as the production-target floor. The [GridPlus Lattice1](https://gridplus.io/) is a comparable secure-element plus companion architecture, with the difference that the companion in this PoC never sees the master secret and only computes the off-card destination and nullifier. +[Keycard](https://keycard.tech/) is the open-source secure-element wallet reference for this prototype, running on EAL6+ chips. The `SIGN_VOUCHER` applet here targets a comparable JCOP-class envelope, with EAL4+ AVA_VAN.5 ([BSI-CC-PP-0084](https://www.bsi.bund.de/SharedDocs/Zertifikate_CC/PP/aktuell/PP_0084.html)) as the production-target floor. The [GridPlus Lattice1](https://gridplus.io/) is a comparable secure-element plus companion architecture. [Briar](https://briarproject.org/) (Bluetooth LE plus Tor), [Meshtastic](https://meshtastic.org/) (LoRa), and [Reticulum](https://reticulum.network/) (LoRa, packet radio, and other transports) are the candidate `ISubmission` transports for offline voucher delivery from companion to relay. The PoC's port abstraction makes any conforming mesh transport interoperable. @@ -156,7 +156,7 @@ The stealth-address standards [ERC-5564](https://eips.ethereum.org/EIPS/eip-5564 [Zerocash](https://eprint.iacr.org/2014/349) (Ben-Sasson et al., 2014) is the prior-art reference for commitment-nullifier shielded payments. This protocol's pool-withdraw circuit is a direct descendant of the Zerocash spend circuit, restricted to a per-claim-contract sub-tree and bound to a claim circuit via a shared nullifier. -[WFP SCOPE Cards](https://usermanual.scope.wfp.org/scope-cards/content/common_topics/introduction/1_introduction.htm), [WFP Building Blocks](https://innovation.wfp.org/project/building-blocks), and [GiveDirectly](https://www.givedirectly.org/) are the reference points for cash-and-voucher assistance at scale. SCOPE Cards is WFP's smartcard-based beneficiary identification and disbursement platform, backed by a centralized cloud registry; Building Blocks runs on a permissioned EVM-style chain and centralizes beneficiary records; GiveDirectly is the standard comparator for direct cash transfer. All three share the disbursement use case but our prototype targets off-ramp unlinkability & smartcard envelopes for adversarial-jurisdiction recipients. +There also exist multiple large-scale humanitarian cash-and-voucher programs that inspired part of this design. ## What comes next diff --git a/src/posts/2026-05-28-resilient-civic-participation.md b/src/posts/2026-05-28-resilient-civic-participation.md index 36aaaa2..12eccfa 100644 --- a/src/posts/2026-05-28-resilient-civic-participation.md +++ b/src/posts/2026-05-28-resilient-civic-participation.md @@ -19,8 +19,6 @@ tags: Petitions create signed lists. Whoever holds that list gets the leverage to make signing dangerous. The best petition system is the one that never produces a list at all; what survives the round is a count. -Take Venezuela in 2004. The petition to trigger a recall referendum against Hugo Chávez collected 2.4 million signatures. Months before the August 15 vote (which Chávez survived), National Assembly member Luis Tascón published the [signer list with national-ID numbers](https://globalfreedomofexpression.columbia.edu/cases/san-miguel-sosa-v-venezuela/) on his website. Public-sector workers on the list were [fired in retaliation](https://www.hrw.org/news/2016/07/20/venezuela-recall-supporters-fired); the list was already in active use months before the vote itself. In 2018 the Inter-American Court of Human Rights held Venezuela responsible for political-retaliation dismissals based on the list. The 2016 recall against Maduro reproduced the pattern. Variants of this pattern have played out across more than a decade in multiple jurisdictions.[^1] - The protocol described here removes the list. Signers prove eligibility against an external credential layer, sign at most once per petition, and submit through a relayer that aggregates many signatures into a single batched proof on Ethereum. The on-chain artifacts are per-class counts and a Boolean outcome, verifiable from L1 as long as the [EIP-4844](https://eips.ethereum.org/EIPS/eip-4844) blob payloads remain reachable through consensus retention or, past that window, a voluntary archive. A future government, a successor regime, or a coerced platform operator can demand the list, but the protocol does not produce one to hand over. The implementation is [open source](https://github.com/ethereum/iptf-pocs/tree/master/pocs/civic-participation/resilient-civic-participation), with a detailed [specification](https://github.com/ethereum/iptf-pocs/blob/master/pocs/civic-participation/resilient-civic-participation/SPEC.md). Sybil resistance is delegated to the [ResilientIdentity](/resilient-plural-identity/) credential layer from the first post in this series. @@ -29,7 +27,7 @@ The implementation is [open source](https://github.com/ethereum/iptf-pocs/tree/m The standard model is a three-party chain. A trusted organiser publishes the petition and collects signatures. A verifying authority (election commission, NGO compliance team, civic-tech vendor) checks each signature against a population register or a digital ID. The same state that lets this chain function in good conditions makes it brittle. -The European Citizens' Initiative, the EU's only direct-democracy instrument, requires signers in 18 of 27 member states to surrender their [national identifier or passport number](https://citizens-initiative.europa.eu/data-requirements_en), along with full name, address, date of birth, and nationality, to a state verifying authority. The ECI is well-regulated and GDPR-compliant; it is also a compelled-collection surface by design. Online petition platforms (Change.org, We the People, and most civic-tech notaries) keep the signer list on a centralised database tied to email accounts and are subject to data-retention orders, subpoenas, and payment-processor pressure. +The European Citizens' Initiative, the EU's only direct-democracy instrument, requires signers in 18 of 27 member states to surrender their [national identifier or passport number](https://citizens-initiative.europa.eu/data-requirements_en), along with full name, address, date of birth, and nationality, to a state verifying authority. The ECI is well-regulated and GDPR-compliant. Signers in adversarial jurisdictions face additional constraints: intermittent network access, no consistent device identity, and a meaningful probability of device seizure between sessions. The protocol assumes any party who can be reached by a subpoena will eventually be reached by one. @@ -83,7 +81,7 @@ Fourteen days after close-at-block, the dispute window ends and any party can co A resolver who submits a wrong outcome fails the SNARK. A one-hour grace past the dispute deadline keeps `markUnresolved` from racing a valid resolution in the same block; once that hour passes with no resolution on chain, any party can call `markUnresolved`, which replaces the running root with a tombstone marker, refunds the bounty (less a 1% gas rebate cap) to the organiser, and transitions the petition to a permanent Unresolved state. -Blob retention is the operational caveat. EIP-4844 retains each batch's blob payload for 4096 epochs (around 18 days) from that batch's own publication block, not from the petition close. With signing windows up to 11.5 days and resolution opening 14 days after close-at-block, any batch published more than 4 days before close has already left consensus retention by the time resolution begins, and disputes against early batches lose consensus-retained data partway through the dispute window. Petitions therefore depend on a [voluntary archive](https://blobscan.com/) or long-term blob storage such as [EthStorage](https://ethstorage.io/) for batches outside that envelope; the on-chain batch SNARK commitments bind blob payloads to versioned hashes, so any archive copy is verifiable against the registry record. +Blob retention is the operational caveat. EIP-4844 retains each batch's blob payload for 4096 epochs (around 18 days) from that batch's own publication block, not from the petition close. With signing windows up to 11.5 days and resolution opening 14 days after close-at-block, any batch published more than 4 days before close has already left consensus retention by the time resolution begins, and disputes against early batches lose consensus-retained data partway through the dispute window. Petitions therefore depend on a [voluntary archive](https://blobscan.com/) or long-term blob storage such as [EthStorage](https://ethstorage.io/) for batches outside that envelope; the on-chain batch SNARK commitments bind blob payloads to versioned hashes, so any archive copy is verifiable against the registry record. ## Compliance for civic operators @@ -151,7 +149,7 @@ This is a proof of concept and the limitations are real. A few lines of prior work sit close to this one. -[MACI](https://maci.pse.dev/) (PSE, [proposed by Vitalik in 2019](https://ethresear.ch/t/minimal-anti-collusion-infrastructure/5413)) is the most-deployed on-chain anti-collusion voting framework. It runs a coordinator that re-encrypts votes during the round to defeat bribery. This protocol removes the coordinator role: tallying is derivable from chain state alone, and unlinkability does not require a live operator. The two differ in shape (vote vs petition) and in their trust model around the coordinator. [Cicada](https://a16zcrypto.com/posts/article/building-cicada-private-on-chain-voting-using-time-lock-puzzles/) (a16z 2023) hides per-option running tallies via linearly-homomorphic time-lock puzzles; the petition protocol here hides each signer's identity at all times, and the final per-class counts are deterministic from blob data with no time-lock dependency. The two designs are complementary. [CRISP](https://docs.theinterfold.com/CRISP/introduction) (Interfold, formerly Enclave) combines BFV homomorphic encryption for encrypted tally aggregation with Noir and RISC Zero proofs for vote validity, and runs an optional-bypass coordinator; the petition protocol here keeps per-class counts public by design (they are the outcome) and removes the coordinator role entirely. +[MACI](https://maci.pse.dev/) (PSE, [proposed by Vitalik in 2019](https://ethresear.ch/t/minimal-anti-collusion-infrastructure/5413)) is an on-chain anti-collusion voting framework. It runs a coordinator that re-encrypts votes during the round to defeat bribery. This protocol does not require a coordinator role: tallying is derivable from chain state alone, and unlinkability does not require a live operator. The two differ in shape (vote vs petition) and in their trust model around the coordinator. [Cicada](https://a16zcrypto.com/posts/article/building-cicada-private-on-chain-voting-using-time-lock-puzzles/) hides per-option running tallies via linearly-homomorphic time-lock puzzles; the petition protocol here hides each signer's identity at all times, and the final per-class counts are deterministic from blob data with no time-lock dependency. The two designs are complementary. [CRISP](https://docs.theinterfold.com/CRISP/introduction) (Interfold, formerly Enclave) combines BFV homomorphic encryption for encrypted tally aggregation with Noir and RISC Zero proofs for vote validity, and runs an optional-bypass coordinator; the petition protocol here keeps per-class counts public by design (they are the outcome) and does not require a coordinator role. [Semaphore](https://semaphore.pse.dev/) (PSE) is the canonical ZK group-membership primitive. The signer SNARK here extends it with per-petition nullifiers, per-slot ratchet values, and class-conditional inclusion proofs. [PLUME](https://eips.ethereum.org/EIPS/eip-7524) (ERC-7524) is the most-deployed nullifier-from-existing-key primitive; the protocol's nullifiers bind to (petition, slot, ratchet value), so the same key produces unrelated nullifiers across petitions. @@ -159,15 +157,15 @@ A few lines of prior work sit close to this one. [Gitcoin Passport / Human Passport](https://passport.human.tech/) aggregates web2 accounts, web3 holdings, and biometric proofs into a sybil score. [BrightID](https://www.brightid.org/) provides social-graph sybil resistance. [Sismo zkBadges](https://github.com/sismo-core) (sunset 2023; smart contracts open source) aggregates per-account credentials into source-bound badges. Any of these can supply the credential layer the petition layer composes against; the petition layer is agnostic to the sybil-resistance mechanism inside R. -[Helios](https://www.usenix.org/conference/17th-usenix-security-symposium/helios-web-based-open-audit-voting) (Adida 2008) is the first web-based open-audit voting system with homomorphic tallying. [Belenios](https://www.belenios.org/) (Inria/CNRS/Université de Lorraine) is a general-purpose verifiable voting system widely deployed for academic and institutional elections, with threshold trustees. [Open Vote Network](https://homepages.cs.ncl.ac.uk/feng.hao/files/OpenVote_IET.pdf) (Hao, Ryan, Zieliński 2010) is the self-tallying boardroom-scale protocol with no tallying authority. All three trust a bulletin-board operator, a trustee committee, or a small group size; this protocol treats Ethereum L1 plus blobs as the bulletin board and eliminates the trustee role. +[Helios](https://www.usenix.org/conference/17th-usenix-security-symposium/helios-web-based-open-audit-voting) (Adida 2008) is the first web-based open-audit voting system with homomorphic tallying. [Belenios](https://www.belenios.org/) (Inria/CNRS/Université de Lorraine) is a general-purpose verifiable voting system widely deployed for academic and institutional elections, with threshold trustees. [Open Vote Network](https://homepages.cs.ncl.ac.uk/feng.hao/files/OpenVote_IET.pdf) (Hao, Ryan, Zieliński 2010) is the self-tallying boardroom-scale protocol with no tallying authority. -The [European Citizens' Initiative](https://eur-lex.europa.eu/eli/reg/2019/788/oj/eng) (Regulation (EU) 2019/788) is the regulatory shape this protocol is designed to fit. Swiss [federal e-collecting trials](https://www.swissinfo.ch/eng/swiss-democracy/green-light-for-electronic-signature-collection-trials/90790010), authorised after the 2024 signature-forgery scandals, are a parallel direct-democracy effort. Their deduplication runs against electoral registers; this protocol uses per-petition nullifiers. The [MIT Specter-Koppel-Weitzner 2020 audit](https://internetpolicy.mit.edu/wp-content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf) of Voatz and the [Halderman et al. 2014 audit](https://jhalderm.com/pub/papers/ivoting-ccs14.pdf) of Estonia's i-voting system documented passive-network deanonymisation, ballot alteration, and structural trust assumptions that motivate moving integrity-critical state on-chain. +The [European Citizens' Initiative](https://eur-lex.europa.eu/eli/reg/2019/788/oj/eng) (Regulation (EU) 2019/788) is the regulatory shape this protocol is designed to fit. Swiss [federal e-collecting trials](https://www.swissinfo.ch/eng/swiss-democracy/green-light-for-electronic-signature-collection-trials/90790010) are a parallel direct-democracy effort. Their deduplication runs against electoral registers; this protocol uses per-petition nullifiers. The forward-secure construction sits in a well-trodden family. [Bellare and Yee 2003](https://eprint.iacr.org/2001/035) is the formal foundation for forward-secure PRGs; [Szydlo 2004](https://www.szydlo.com/szydlo-loglog.pdf) is the log-space Merkle traversal that keeps signer state bounded. The [Signal Double Ratchet](https://signal.org/docs/specifications/doubleratchet/) composes a symmetric-key KDF chain (for forward secrecy) with a Diffie-Hellman ratchet (for post-compromise security); [MLS TreeKEM (RFC 9420)](https://www.rfc-editor.org/rfc/rfc9420.html) extends forward secrecy to groups of thousands with continuous key agreement. The FSRT used here is non-interactive and tree-shaped (one leaf consumed per signature), so a SNARK can verify a per-slot value without rebuilding state from genesis. For data availability, [EIP-4844](https://eips.ethereum.org/EIPS/eip-4844) is the substrate; [EIP-7594 (PeerDAS)](https://eips.ethereum.org/EIPS/eip-7594) raises the blob ceiling under Fusaka, which is what makes ECI-scale petitions feasible in a single round; [Blobscan](https://blobscan.com/) and [EthStorage](https://ethstorage.io/) are the candidate long-term archives. For recursion, [Aztec UltraHonk](https://barretenberg.aztec.network/docs/explainers/recursive_aggregation/) is the proving system. -[Snapshot](https://docs.snapshot.box/), [Tally](https://docs.tally.xyz/), and [Aragon](https://www.aragon.org/) are the existing on-chain governance tools. Snapshot's authoritative state is IPFS-hosted signed messages; Tally and Aragon are pseudonymous and per-token. This protocol sits adjacent: it produces anonymous, class-thresholded petition outcomes with no per-signer on-chain footprint and durable verifiability beyond any operator's lifetime. [Optimism Citizens' House and Retro Funding](https://community.optimism.io/citizens-house/how-retro-funding-works) (formerly RetroPGF) encode plural-identity public-goods funding under a single jurisdiction's roster; this protocol encodes plural-class petition outcomes under an external credential root. +[Snapshot](https://docs.snapshot.box/), [Tally](https://docs.tally.xyz/), and [Aragon](https://www.aragon.org/) are the existing on-chain governance tools. Snapshot's authoritative state is IPFS-hosted signed messages; Tally and Aragon are pseudonymous and per-token. This protocol sits adjacent: it produces anonymous, class-thresholded petition outcomes with no per-signer on-chain footprint and durable verifiability beyond any operator's lifetime. [Optimism Citizens' House and Retro Funding](https://community.optimism.io/citizens-house/how-retro-funding-works) (formerly RetroPGF) encode plural-identity public-goods funding under a defined membership roster; this protocol encodes plural-class petition outcomes under an external credential root. For transport, [Tor](https://www.torproject.org/), [Nym](https://nym.com/), and [HOPR](https://hoprnet.org/) are the candidate substrates for the signer-to-relayer and relayer-to-L1 hops. @@ -175,7 +173,7 @@ For transport, [Tor](https://www.torproject.org/), [Nym](https://nym.com/), and The series covered three brittle pieces of state. Identity that depends on an authority who will eventually stop signing. Payments that depend on a rail that can be subpoenaed at the off-ramp. Civic participation that depends on a signer list that someone will eventually publish. Each post replaced the live authority with an on-chain Merkle root and a SNARK that proves statements against it. Where a central database used to hold long-lived static records, the resilient stack keeps per-holder secrets that never leave the holder and forward-secure state that advances as the protocol does. -This is not always the right tool. [MACI](https://maci.pse.dev/) handles per-vote bribery during an active round, since its coordinator re-encrypts votes mid-round; this protocol cannot. [Cicada](https://a16zcrypto.com/posts/article/building-cicada-private-on-chain-voting-using-time-lock-puzzles/) hides the running tally with time-lock puzzles; here the count is derivable from blob data the moment a batch enters state. And in jurisdictions where surrendering national identifiers to a state verifying authority is mandatory and the retaliation threat is acceptable, the EU's centralised ECI deduplication will be cheaper to run. This protocol fits the narrower case where the list itself is the threat and the operator wants to answer a future subpoena with "we do not hold what you are asking for" as a technical fact. +This is not always the right tool. [MACI](https://maci.pse.dev/) handles per-vote bribery during an active round, since its coordinator re-encrypts votes mid-round; this protocol cannot. [Cicada](https://a16zcrypto.com/posts/article/building-cicada-private-on-chain-voting-using-time-lock-puzzles/) hides the running tally with time-lock puzzles; here the count is derivable from blob data the moment a batch enters state. In jurisdictions where central identity collection is legally required and acceptable for the use case, existing deduplication systems may be cheaper to run. The pieces compose. A holder enrolled in [Resilient Plural Identity](/resilient-plural-identity/) can be a recipient in [Resilient Disbursement Rails](/resilient-disbursement-rails/) and a signer in this protocol, all under the same credential root, with none of the three operations producing a record the others can be joined to. The resilience stack is the one where no single layer being captured collapses any other. @@ -184,12 +182,3 @@ The pieces compose. A holder enrolled in [Resilient Plural Identity](/resilient- If you are running a humanitarian organisation, a govtech platform, a civil-society campaign, an NGO, or a regulator with a use case where the existence of a list is itself the risk, we want to hear from you. The three protocols described in this series cover identity continuity, private disbursement, and credentialed petition signing; the wider [IPTF Map](https://github.com/ethereum/iptf-map) catalogues a broader set of primitives that Ethereum can support. Reach out by [opening an issue](https://github.com/ethereum/iptf-pocs/issues) on the PoC repository, or via the contact information on the [IPTF home page](https://iptf.ethereum.org/). The [specification](https://github.com/ethereum/iptf-pocs/blob/master/pocs/civic-participation/resilient-civic-participation/SPEC.md) has the full circuit constraints, contract semantics, and security considerations. The IPTF Map [use case](https://github.com/ethereum/iptf-map/blob/master/use-cases/resilient-civic-participation.md) and [approach](https://github.com/ethereum/iptf-map/blob/master/approaches/approach-civic-participation.md) documents place this in the broader institutional-privacy work. - -[^1]: Other documented cases: - - - Cuba's [Varela Project](https://en.wikipedia.org/wiki/Varela_Project) collected 11,000 signatures in 2002; the March 2003 "Black Spring" jailed 75 dissidents in total, 25 of them Varela organisers, with sentences of 6 to 28 years. - - After Alexei Navalny's Anti-Corruption Foundation was branded "extremist" in 2021, Russian security services used the foundation's Stripe merchant ID, visible on donor bank statements, to drive [more than 100 criminal cases](https://en.zona.media/article/2025/10/15/donors); the financial rail itself became the signer list. - - In Belarus in mid-2020, UN experts reported around [500 people detained for giving or collecting signatures](https://monitor.civicus.org/explore/opposition-candidates-and-supporters-persecuted-detained-ahead-elections/) to nominate opposition candidates. - - Turkey jailed academics for [signing a peace petition](https://www.hrw.org/news/2016/03/16/turkey-academics-jailed-signing-petition) in 2016. - - In January 2021, Hong Kong arrested 53 people involved in an unofficial pro-democracy primary under the National Security Law; 47 were charged and [45 were sentenced in November 2024](https://news.un.org/en/story/2024/11/1157166). - - Washington's Referendum 71 supporters argued before the U.S. Supreme Court that disclosure would invite the same harassment Proposition 8 donors faced after their publicly disclosed campaign-finance records were aggregated and mapped on [Eightmaps.com](https://odimpact.org/case-united-states-eightmaps.html); the court declined facial relief but [acknowledged the threat](https://supreme.justia.com/cases/federal/us/561/186/).