Semaphore

[PopcornPaws]

Description

Semaphore is an anonymous signalling protocol for Ethereum. This means that you can vote/rsvp/etc without revealing your identity in a group of eligible entities. How does this work in a nutshell?

• users generate an identity and a commitment to this secret identity
• users submit their identity commitments to an admin who manages a Merkle Tree consisting of the submitted identity commitments
• once the Merkle Tree is complete, users may submit a zero-knowledge proof proving their membership in the Merkle Tree
• users send their vote or some generic signal along the proof.

Semaphore is designed to disallow double-signalling, i.e. users cannot vote twice with the same identity.

Structure

Semaphore can be divided into four main parts:

• identities: user-generated identities that can be ephemeral (single-use) or deterministically (re)generated using a secret seed
• groups: Merkle Trees accumulating the identity commitments (these can be stored and managed either on- or off-chain)
• circuits: used for generating zk proofs (Groth16 SNARKs) which can be verified either on- or off-chain
• contracts: for managing Merkle Trees and verifying proofs on-chain

How we could use it?

• Off-chain Merkle Trees
  • our backend stores and maintains a Merkle Tree for each "privacy" role
  • users go through the same requirement checks when they want a role, but they also submit an emphemeral (one-time) identity along with their join request
  • if they pass the requirement checks, their identity commitment is added to the "privacy" role's Merkle Tree
• On-chain Merkle Trees
  • we deploy a semaphore contract for each "privacy" role that only requires on-chain assets to join (e.g. tokens/credentials)
  • users can only join the on-chain Merkle Tree, if they pass a specific token/asset check on-chain (these could be Guild credentials as well)
• when users want to join a discord server/telegram channel, they send a membership proof to the respective bot along with their dc/tg identity
• the bot queries the Merkle Root from the Guild backend or the contract, checks the proof and grants them access without knowing which registered guild user joined the server

Notes and caveats

Semaphore is more of a tool that builds on Guild, i.e. it is usable by users who already have access to a role. The Semaphore identity is not an Ethereum address and it doesn't have any tokens, funds, etc. It is essentially just two secret numbers that makes proving knowledge of these numbers (witnesses) much easier and lightweight than proving ownership of an EVM address. Thus, we need extra steps to link it to the user's registered addresses.

IMPORTANT Even if we track that an address has sold an NFT and we remove their commitment from the Merkle Tree, we have no way to remove them from a discord server/telegram channel automatically. So the same issue holds as with our old solution.

However, we could link a deterministic identity commitment to a user's addresses, thus, when they sell their assets and lose the role, we can remove their commitment from the merkle tree and they won't be able to use semaphore-related apps connected to the role anymore.

Potential contributions

• token attestation