npm - @maci-protocol/website - Versions diffs - 0.0.0-ci.2653bc0 - Mend

@maci-protocol/website 0.0.0-ci.2653bc0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (415) hide show

package/versioned_docs/version-v1.2/key-change.md ADDED Viewed

@@ -0,0 +1,182 @@
+---
+title: MACI key change
+description: How key change messages work
+sidebar_label: Key change
+sidebar_position: 18
+---
+# MACI Key Change
+MACI's voters are identified by their MACI public key. Together with their private key, they can sign and submit messages to live Polls.
+As MACI's main property is to provide collusion resistance in digital voting applications, it is important to have a mechanism for a user to change their voting key, should this become compromised, or they wish to revoke past actions.
+## How MACI messages are processed
+In order to understand how key changing currently works in MACI, we need to understand how messages are processed.
+After a poll ends, the coordinator processes messages off chain in reverse order. To improve efficiency, messages are processed in batches, and correctness is proved for each batch using a zk-SNARK circuit.
+Due to messages being processed in reverse order, key change messages would work a bit differently than if they were processed in the same order as they were submitted.
+## Why are messages processed in reverse order?
+Reverse processing was introduced to prevent a type of attack where a briber would collude with a voter to sign up, and then submit a message to change their key to a key that the briber controls. This way the briber would have assurance that they could submit the vote they want.
+Let's take as an example the following:
+1. Alice signs up with pub key $pub1$
+2. Bob (Briber) bribes Alice and asks her to submit a key change message to $pub2$ (owned by Bob)
+3. Bob submits a vote with $pub2$
+4. Alice submits a vote with $pub1$
+If messages were processed in the same order as they were submitted, Alice's vote would not be valid, due to it being signed with a private key $priv1$ - which now would not be valid.
+On the other hand, due to messages being processed in reverse order, Alice's last message would be counted as valid as the key change would have not been processed yet. Then, Bob's vote would not be counted as valid as the current key for Alice would be $pub1$.
+> Note that a key change message should have the nonce set to 1 in order for it to be valid. We'll see a code example in the next sections.
+## Then how can a voter change their key and submit a new vote?
+A user, can submit a key change message, by simply sending a new message signed with their signup key, and setting the nonce to 1. This is because the code checks that the first message to be processed has the nonce set to 1.
+Let's take a look into a code example:
+> We have two users, and three keypairs
+- Create three keypairs
+```ts
+const user1Keypair = new Keypair();
+const user2Keypair = new Keypair();
+const secondKeyPair = new Keypair();
+```
+- Votes will be
+```ts
+// user1 votes for project 0
+const user1VoteOptionIndex = BigInt(0);
+// user2 votes for project 1
+const user2VoteOptionIndex = BigInt(1);
+// user1 votes 9 for the first vote
+const user1VoteWeight = BigInt(9);
+// user2 votes 3
+const user2VoteWeight = BigInt(3);
+// user1 will change their vote to 5
+const user1NewVoteWeight = BigInt(5);
+```
+- What do we expect as result
+```
+project 0 = 5 * 5 -> 25
+project 1 = 3 * 3 -> 9
+```
+As seen above, we expect the first vote weight 9 to not be counted, but instead the second vote weight 5 to be counted.
+- Deploy a MaciState locally and sign up
+```ts
+const maciState: MaciState = new MaciState(STATE_TREE_DEPTH);
+// Sign up
+user1StateIndex = maciState.signUp(user1Keypair.pubKey, voiceCreditBalance, BigInt(Math.floor(Date.now() / 1000)));
+user2StateIndex = maciState.signUp(user2Keypair.pubKey, voiceCreditBalance, BigInt(Math.floor(Date.now() / 1000)));
+// deploy a poll
+pollId = maciState.deployPoll(
+  duration,
+  BigInt(Math.floor(Date.now() / 1000) + duration),
+  maxValues,
+  treeDepths,
+  messageBatchSize,
+  coordinatorKeypair,
+);
+```
+- User1 and user2 submit their first votes
+```ts
+const poll = maciState.polls[pollId];
+const command1 = new PCommand(
+  BigInt(user1StateIndex),
+  user1Keypair.pubKey,
+  user1VoteOptionIndex,
+  user1VoteWeight,
+  BigInt(1),
+  BigInt(pollId),
+);
+const signature1 = command1.sign(user1Keypair.privKey);
+const ecdhKeypair1 = new Keypair();
+const sharedKey1 = Keypair.genEcdhSharedKey(ecdhKeypair1.privKey, coordinatorKeypair.pubKey);
+const message1 = command1.encrypt(signature1, sharedKey1);
+poll.publishMessage(message1, ecdhKeypair1.pubKey);
+const command2 = new PCommand(
+  BigInt(user2StateIndex),
+  user2Keypair.pubKey,
+  user2VoteOptionIndex,
+  user2VoteWeight,
+  BigInt(1),
+  BigInt(pollId),
+);
+const signature2 = command2.sign(user2Keypair.privKey);
+const ecdhKeypair2 = new Keypair();
+const sharedKey2 = Keypair.genEcdhSharedKey(ecdhKeypair2.privKey, coordinatorKeypair.pubKey);
+const message2 = command2.encrypt(signature2, sharedKey2);
+poll.publishMessage(message2, ecdhKeypair2.pubKey);
+```
+- User1 submits a key change message with the new vote
+```ts
+const poll = maciState.polls[pollId];
+const command = new PCommand(
+  BigInt(user1StateIndex),
+  secondKeyPair.pubKey,
+  user1VoteOptionIndex,
+  user1NewVoteWeight,
+  BigInt(1),
+  BigInt(pollId),
+);
+const signature = command.sign(user1Keypair.privKey);
+const ecdhKeypair = new Keypair();
+const sharedKey = Keypair.genEcdhSharedKey(ecdhKeypair.privKey, coordinatorKeypair.pubKey);
+const message = command.encrypt(signature, sharedKey);
+poll.publishMessage(message, ecdhKeypair.pubKey);
+```
+- We process the votes and check that the result is as expected (`user1NewVoteWeight` was 5 and `user2VoteWeight` 3)
+```ts
+const poll = maciState.polls[pollId];
+poll.processMessages(pollId);
+poll.tallyVotes();
+expect(poll.perVOSpentVoiceCredits[0].toString()).to.eq((user1NewVoteWeight * user1NewVoteWeight).toString());
+expect(poll.perVOSpentVoiceCredits[1].toString()).to.eq((user2VoteWeight * user2VoteWeight).toString());
+```
+- Finally confirm that the keypair was changed for the user1
+```ts
+const poll = maciState.polls[pollId];
+const stateLeaf1 = poll.stateLeaves[user1StateIndex];
+const stateLeaf2 = poll.stateLeaves[user2StateIndex];
+expect(stateLeaf1.pubKey.equals(user1SecondKeypair.pubKey)).to.eq(true);
+expect(stateLeaf2.pubKey.equals(user2Keypair.pubKey)).to.eq(true);
+```
+We see that is important that we set the final message (the one with the new vote) with nonce 1, as this vote would be counted as the first vote.
+:::info
+Tests related to key changes have been added to the [core package](https://github.com/privacy-scaling-explorations/maci/blob/dev/core/ts/__tests__/) and to the [cli package](https://github.com/privacy-scaling-explorations/maci/blob/dev/cli/tests/).
+:::

package/versioned_docs/version-v1.2/overview.md ADDED Viewed

@@ -0,0 +1,47 @@
+---
+title: MACI Overview
+description: High-level overview of the MACI codebase
+sidebar_label: Overview
+sidebar_position: 4
+---
+# MACI Overview
+The MACI codebase consists of three subsystems in different programming languages:
+1. Circom circuits
+2. Solidity smart contracts
+3. TypeScript libraries
+## Circuits
+MACI has multiple circuits that ensure all off-chain computation is completed correctly. The circuits are used to generate zero-knowledge proofs (zk-SNARKs) that the votes were counted correctly. Specifically, they enforce that message processing and vote tallying were correctly executed by the coordinator. The proofs can then be verified through a verifier smart contract on-chain.
+The circuits for these zero-knowledge proofs are written
+in [Circom](https://iden3.io/circom).
+The MACI circuits are released through the [`@maci-circuits`](https://www.npmjs.com/package/maci-circuits) NPM package.
+[Learn more about MACI circuits](/docs/v1.2/circuits)
+## Smart contracts
+The MACI smart contracts handle the on-chain aspects - both the functionality and the storage - of the voting system. They provide the functionality to deploy polls, register voters, and accept votes. They also store and manage the on-chain data from transactions, such as the encrypted votes of a poll. Finally, they verify proofs of the zk-SNARK circuits, so that everyone can validate the voting results.
+The MACI smart contracts are written in [Solidity](https://soliditylang.org/).
+Contracts are released through the [`@maci-contracts`](https://www.npmjs.com/package/maci-contracts) NPM package.
+[Learn more about MACI contracts](/docs/v1.2/contracts)
+## TypeScript libraries
+The TypeScript libraries manage the business logic between the smart contracts and the circuit code. They provide a variety of functionality, such as encryption tools, utilities, and a CLI for interacting with MACI (for actions like signing up, voting, tallying votes & generating proofs).
+The MACI [TypeScript](https://www.typescriptlang.org/) libraries are released through the following NPM packages:
+- [`@maci-cli`](https://www.npmjs.com/package/maci-cli)
+- [`@maci-core`](https://www.npmjs.com/package/maci-core)
+- [`@maci-crypto`](https://www.npmjs.com/package/maci-crypto)
+- [`@maci-domainobjs`](https://www.npmjs.com/package/maci-domainobjs)
+- [`@maci-integrationtests`](https://www.npmjs.com/package/maci-integrationtests)

package/versioned_docs/version-v1.2/poll-types.md ADDED Viewed

@@ -0,0 +1,68 @@
+---
+title: MACI Poll Types
+description: Which type of polls you can run on MACI
+sidebar_label: MACI poll types
+sidebar_position: 21
+---
+# MACI Poll Types
+MACI allows to conduct polls in both a quadratic voting and non quadratic voting fashion. One should be aware that the only distinction between the two happens when messages are processed and votes tallied. On top of that, the Tally smart contract has been split into two different ones, with the non quadratic voting version one being slightly smaller, due to the need of one less function.
+This document will explain how to use each of these options.
+## Quadratic Voting
+MACI has always worked with quadratic voting. Users signing up to MACI are assigned a number of voice credits based on certain conditions (enforced by the [initial voice credit proxy contract](https://github.com/privacy-scaling-explorations/maci/blob/dev/contracts/contracts/initialVoiceCreditProxy/InitialVoiceCreditProxy.sol)), and after each vote, the number of voice credits is reduced by the square of the weight of the vote casted. For instance, if the vote weight is 5, a user must have at least 25 voice credits to cast the vote.
+To run a poll with quadratic voting, the coordinator must set the `useQuadraticVoting` parameter to `true` when creating the MACI instance. This will make the MACI instance use the `Tally` smart contract, which is the one that has been used since the beginning of MACI.
+Using MACI's cli, one can create a MACI instance with quadratic voting by running the following command:
+```bash
+maci-cli create -uq true $OTHER_PARAMETERS
+```
+Then, when generating the zkSNARK proofs, the coordinator should pass the following to the `genProofs` command:
+```bash
+maci-cli genProofs -uq true $OTHER_PARAMETERS
+```
+For users, when verifying the tally results, please ensure that the tally file contains the entry:
+```json
+{
+  "isQuadratic": true
+}
+```
+If verifying without a tally file, but by passing a tally data object, please ensure that the object has the same entry set to true.
+## Non Quadratic Voting
+The non quadratic voting option is a new feature that has been added to MACI with the v1.2 release. It allows to conduct polls without the quadratic voting mechanism. This means that the number of voice credits is not reduced by the square of the weight of the vote casted. This option is useful for polls where the quadratic voting mechanism is not necessary, and it is also slightly cheaper for coordinators to tally votes, as there are less checks required in the Tally smart contract.
+To run a poll with non quadratic voting, the coordinator must set the `useQuadraticVoting` parameter to `false` when creating the Poll instance. This will make the Poll instance use the `NonQv` logic.
+Using MACI's cli, one can create a MACI instance with non quadratic voting by running the following command:
+```bash
+maci-cli create -uq false $OTHER_PARAMETERS
+```
+Then, when generating the zkSNARK proofs, the coordinator should pass the following to the `genProofs` command:
+```bash
+maci-cli genProofs -uq false $OTHER_PARAMETERS
+```
+For users, when verifying the tally results, please ensure that the tally file contains the entry:
+```json
+{
+  "isQuadratic": false
+}
+```
+If verifying without a tally file, but by passing a tally data object, please ensure that the object has the same entry set to false.

package/versioned_docs/version-v1.2/primitives.md ADDED Viewed

@@ -0,0 +1,216 @@
+---
+title: MACI Primitives
+description: A short introduction of the main primitives used by MACI
+sidebar_label: Primitives
+sidebar_position: 6
+---
+## MACI primitives
+This section provides a short introduction to the main primitives used by MACI.
+### Elliptic Curves
+MACI uses the Baby Jubjub Elliptic [Curve](https://iden3-docs.readthedocs.io/en/latest/_downloads/33717d75ab84e11313cc0d8a090b636f/Baby-Jubjub.pdf). The `p` scalar field of choosing is:
+$p=21888242871839275222246405745257275088548364400416034343698204186575808495617$
+with generator:
+$995203441582195749578291179787384436505546430278305826713579947235728471134$
+$5472060717959818805561601436314318772137091100104008585924551046643952123905$
+and within the finite field with modulo $p$.
+### Key Pairs
+MACI uses Node.js's `crypto.randomBytes(32)` function to generate a cryptographically strong pseudorandom 32-byte value, as well as an algorithm to prevent modulo bias. In pseudocode this is:
+```python
+lim = 2 ** 256
+min = lim - p
+rand = null
+while true:
+    rand = BigInt(crypto.getRandomBytes(32))
+    if rand >= min:
+        break
+privKey = rand % p
+```
+A public key is a point on the Baby Jubjub [curve](https://iden3-docs.readthedocs.io/en/latest/_downloads/33717d75ab84e11313cc0d8a090b636f/Baby-Jubjub.pdf), which is deterministically derived from a private key `s`.
+### Message Signing
+To sign messages, MACI uses the Edwards-curve Digital Signature Algorithm (EdDSA), implemented by [iden3](https://iden3-docs.readthedocs.io/en/latest/iden3_repos/research/publications/zkproof-standards-workshop-2/ed-dsa/ed-dsa.html#ed-dsa).
+### Hash Functions
+MACI uses the Poseidon hash function, which is proven to be very efficient in ZK applications. Poseidon accepts $n$ inputs and produces 1 output:
+$y = poseidon_n([x_1, x_2, ..., x_n])$
+Also, SHA256 is used to compress public inputs to a circuit into a single field element in the finite field $F$ mod $p$.
+### Message Encryption
+In order to encrypt messages, MACI uses Poseidon in DuplexSponge [mode](https://dusk.network/uploads/Encryption-with-Poseidon.pdf). This provides an encryption function and a decryption function:
+- $C$ as $poseidonEncrypt(k_s[0], k_s[1], N, l, t[])$
+- $poseidonDecrypt(k_s[0], k_s[1], N, l, C)$
+In more details,
+- $k_s$ is the shared key, a point on the Baby Jubjub curve
+- $N$ is the nonce, which we hardcode to 0
+- $l$ is the length of the plaintext $t[]$
+The implementation can be found [here](https://github.com/weijiekoh/circomlib/).
+### Shared Key Generation
+The ECDH algorithm is used to generate a shared key, which is then used to encrypt each message. This allows to create messages which are only decryptable by the coordinator and the person sending the message.
+In more details:
+- The coordinator's public key $cPk$ is known to all. Their private key $cSk$ is secret.
+- When the user publishes a message (i.e. casts a vote), they generate an ephemeral keypair with private key $eSk$ and public key $ePk$.
+- The user generates the shared key $k$ using the coordinator's public key $cPk$ and the user's ephemeral private key $eSk$.
+- The user encrypts the command and signature with $k$ to form a message.
+- The user sends their ephemeral public key $ePk$ along with the ciphertext. The coordinator can recover the same shared key using their private key $cSk$ and the given ephemeral public key $ePk$.
+### Merkle Trees
+Rather than using Binary merkle trees, MACI uses Quinary merkle trees (5 leaves per node). This allows for more gas efficient computation using the Poseidon hash function.
+#### Accumulator queue
+This contract holds user sign-ups and messages. When a leaf is inserted into the `AccQueue`, the merkle root is not updated yet, instead the leaf is updated or the root of a subtree is re-computed. The smart contract exposes three functions:
+- `enqueue(leaf)`: Enqueues a leaf into a subtree
+  four out of five times it is invoked, an enqueue operation may or may not require the contract to perform a hash function. When it does, only up to $t_d$ required number of hashes need to be computed
+- `mergeSubRoots()`: Merge all subtree roots into the shortest possible Merkle tree to fit
+  Before computing the main Merkle root, it is necessary to compute the smallSRTroot (the smallest subroot tree root). This is the Merkle root of a tree which is small enough to fit all the subroots
+  function which allows the coordinator to specify the number of queue operations to execute. The entire tree may be merged in a single transaction, or it may not.
+- `merge()`: Calculate the Merkle root of all the leaves at height $d_t$
+### Domain Objects
+#### Verifying Keys
+A verifying key $vk$ is comprised of the following elements:
+1. $\alpha$, a point in the curve on which $G_1$ is defined
+2. $$\beta$$, a point in the curve on which $G_2$ is defined
+3. $\gamma$, a point in the curve on which $G_2$ is defined
+4. $\delta$, a point in the curve on which $G_2$ is defined
+5. $ic[]$, a list of points in the curve on which $G_1$ is defined
+A verifying key is used to validate a zk-SNARK proof. Each unique permutation of parameters to a particular circuit has a different verifying key.
+#### Private Keys
+MACI's private keys allow users to send and decrypt messages. This key translates to a scalar point on the Baby Jubjub elliptic curve. All keys are serialized with the prefix `macisk`.
+#### Public Keys
+Public keys also translate to a point on the Baby Jubjub elliptic curve, and is derived from the private key $k$. These are serialized with the prefix `macipk`.
+#### Key Pair
+A Key Pair is a private key and its corresponding public key.
+#### Command
+A command represents an action that a user may take. Such as casting a vote in a poll or changing their public key if bribed. It is made up of the following parameters:
+| Symbol       | Name                    | Size | Description                                                                                         |
+| ------------ | ----------------------- | ---- | --------------------------------------------------------------------------------------------------- |
+| $cm_i$       | State index             | 50   | State leaf index where the signing key is located                                                   |
+| $cm_{p_{x}}$ | Public key x-coordinate | 253  | If no change is necessary this parameter should reflect the current public key's x-coordinate       |
+| $cm_{p_{y}}$ | Public key y-coordinate | 253  | If no change is necessary this parameter should reflect the current public key's y-coordinate       |
+| $cm_{i_{v}}$ | Vote option index       | 50   | Option state leaf index of preference to assign the vote for                                        |
+| $cm_w$       | Voting weight           | 50   | Voice credit balance allocation, this is an arbitrary value dependent on a user's available credits |
+| $cm_n$       | Nonce                   | 50   | State leaf's index of actions committed plus one                                                    |
+| $cm_{id}$    | Poll id                 | 50   | The poll's identifier to cast in regard to                                                          |
+| $cm_s$       | Salt                    | 253  | An entropy value to inhibit brute force attacks                                                     |
+#### Message
+A message is an encrypted command using the shared key $k_s$ between the voter and the coordinator. The plaintext $t$ is computed as such:
+$t = [p, cm_{p_{x}}, cm_{p_{y}}, cm_s, R8[0], R8[1], S]$
+While the message can be computed with the formula below:
+$M$ = ${poseidonEncrypt}(k_s[0], k_s[1], cm_n, 7, t)$
+#### Decrypting a message
+To decrypt a message using $k_s$ is expressed as
+$[p, R8[0], R8[1], cm_s]$ = ${poseidonDecrypt}(M, k_s[0], k_s[1], cm_n, 7)$
+To unpack $p$ to its original five parameters, it must be separated into 50 bit values from the parent 250 bit value. To extract 50 bits at byte $n$, we:
+1. initialise 50 bits
+2. shift left by $n$ bits
+3. bitwise AND with $p$
+4. shift right by $n$ bits
+### Ballot
+A Ballot represents a particular user's votes in a poll, as well as their next valid nonce. It is akin to a voting slip, which belongs to only one voter and contains a list of their choices.
+| Symbol    | Name                       | Comments                                                                   |
+| --------- | -------------------------- | -------------------------------------------------------------------------- |
+| $blt_{v}$ | An array of vote weights   | $blt_{v[i]}$ refers to the vote weights assigned to vote option $i$        |
+| $blt_n$   | The current nonce          | Starts from 0 and increments, so the first valid command must have nonce 1 |
+| $blt_d$   | The vote option tree depth |                                                                            |
+The hash $blt$ is computed as such:
+1. Compute the Merkle root of $blt_v$, arity 5, of a tree of depth $blt_d$; let this value be $blt_r$
+2. Compute $poseidon_2([blt_n, blt_r])$
+### State leaf
+A state leaf represents a user's participation declared through an identity (their public key) and information relevant to their ability or right to cast votes in a poll (their voice credit balance and the block timestamp at which they signed up).
+We define a state leaf $sl$ as the $poseidon_4$ hash of the following:
+| Symbol     | Name                      | Comments                                    |
+| ---------- | ------------------------- | ------------------------------------------- |
+| $sl_{P_x}$ | Public key's x-coordinate |                                             |
+| $sl_{P_y}$ | Public key's y-coordinate |                                             |
+| $sl_{v}$   | Voice credit balance      |                                             |
+| $sl_{t}$   | Block timestamp           | In Unix time (seconds since Jan 1 1970 UTC) |
+The hash $sl$ is computed as such:
+$sl = poseidon_4([sl_{A_x}, sl_{A_y}, sl_{v}, sl_{t}])$
+#### Blank state leaf
+A blank state leaf $sl_B$ has the following value:
+$6769006970205099520508948723718471724660867171122235270773600567925038008762$
+This value is computed as such:
+$A_{b_x} = 10457101036533406547632367118273992217979173478358440826365724437999023779287$
+$A_{b_y} = 19824078218392094440610104313265183977899662750282163392862422243483260492317$
+$sl_B = poseidon_4([A_{b0}, A_{b1}, 0, 0])$
+The code to derive $A_{b_x}$ and $A_{b_y}$ is [here](https://github.com/iden3/circomlib/blob/d5ed1c3ce4ca137a6b3ca48bec4ac12c1b38957a/src/pedersen_printbases.js). The function call required is `pedersenHash.getBasePoint('blake', 0)`
+1. Hash the string `PedersenGenerator_00000000000000000000000000000000_00000000000000000000000000000000` with $blake_{256}$. In big-endian hexadecimal format, the hash should be `1b3ef77ef2cd620fd2358e69dd564f35556aad552fdd7f06b777bd3a1d697160`.
+2. Set the 255th bit to 0. The result should be `1b3ef77ef2cd620fd2358e69dd564f35556aad552fdd7f06b777bd3a1d697120`.
+3. Use the method to convert a buffer to a point on the BabyJub curve described in [2.3.2].
+4. Multiply the point by 8. The result is the point with x-value $A_{b_x}$ and y-value $A_{b_y}$
+Given the [elliptic curve discrete logarithm problem](https://wstein.org/edu/2007/spring/ent/ent-html/node89.html), we assume that no one knows the private key $s \in {F}_p$ and by using the public key generation procedure in [1.4], we can derive $A_{b_x}$ and $A_{b_y}$. Furthermore, the string above (`PedersenGenerator...`) acts as a nothing-up-my-sleeve value.

package/versioned_docs/version-v1.2/project-ideas.md ADDED Viewed

@@ -0,0 +1,14 @@
+---
+title: MACI Project Ideas
+description: Community-sourced ideas of projects you could build with MACI
+sidebar_label: MACI Project ideas
+sidebar_position: 23
+---
+# Build on MACI
+Are you interested in building on MACI but not sure what a useful project or application might be?
+Good news - you're in the right place!
+The MACI core team maintains a wishlist of community-sourced ideas to build with/for/on MACI. Check out our ["Project ideas to build with MACI" GitHub Discussion](https://github.com/privacy-scaling-explorations/maci/discussions/1136) for the up-to-date list! We encourage you to find inspiration here and comment in the discussion to suggest ideas of your own.

package/versioned_docs/version-v1.2/purpose.md ADDED Viewed

@@ -0,0 +1,62 @@
+---
+title: Why MACI Matters
+description: An overview of the purpose of MACI
+sidebar_label: Purpose
+sidebar_position: 2
+---
+# Why MACI Matters
+To understand the promise of on-chain voting and the purpose of MACI, we highly recommend reading [Vitalik's post on blockchain voting](https://vitalik.eth.limo/general/2021/05/25/voting2.html). He provides an overview of the incredible potential of e-voting and why blockchains are an excellent technology to implement e-voting solutions on top of.
+Below we attempt to summarize some of the points laid out in that post:
+## Security requirements of a voting system
+Any voting system requires a few crucial security properties in order to be trusted by users:
+- **Correct execution**: the result (tally of votes) must be correct, and the result must be guaranteed by a transparent process (so that everyone is convinced that the result is correct)
+- **Censorship resistance**: anyone eligible to vote should be able to vote, and it should not be possible to interfere with anyone's attempt to vote or to prevent anyone’s vote from being counted
+- **Privacy:** you should not be able to tell which candidate someone specific voted for, or even if they voted at all
+- **Coercion resistance:** you should not be able to prove to someone else how you voted, even if you want to
+## Voting systems
+Looking at various approaches to implement a voting system, we can see how they compare across these properties.
+### In-person voting systems
+In short, it's hard to know for sure how current voting systems operate. Governments and corporations spend lots of resources on their systems and processes in an attempt to ensure their integrity, but ultimately neither the systems nor the processes are fully auditable, so we must trust that these security properties are being enforced.
+|                       | In-person |
+| --------------------- | --------- |
+| Correct execution     | 🤷‍♂️        |
+| Censorship resistance | 🤷‍♂️        |
+| Privacy               | 🤷‍♂️        |
+| Collusion resistance  | 🤷‍♂️        |
+### Blockchain voting systems
+Blockchains provide two key properties: correct execution and censorship resistance. In terms of execution, the blockchain accepts inputs (transaction) from users, correctly processes them according to some pre-defined rules, and returns the correct output. No one is able to change the rules. Any user that wants to send a transaction and is willing to pay a high enough fee can send the transaction and expect to see it quickly included on-chain.
+By default, however, Blockchain voting applications face challenges. Ethereum, like most blockchains, is completely transparent - all transaction data is public, so there is no privacy for voters or their votes. This makes bribery very easy as a result: someone can easily show a transaction receipt that proves how they voted. In some cases, bribery can be completely automated via smart contracts to make collusion entirely trustless.
+|                       | In-person | Ethereum |
+| --------------------- | --------- | -------- |
+| Correct execution     | 🤷‍♂️        | ✅       |
+| Censorship resistance | 🤷‍♂️        | ✅       |
+| Privacy               | 🤷‍♂️        | ❌       |
+| Collusion resistance  | 🤷‍♂️        | ❌       |
+### Blockchain voting systems (with ZKPs)
+Enter zero-knowledge proofs (ZKPs), which when combined with blockchains like Ethereum, can enable private on-chain voting but maintain public on-chain results that are verifiable by anyone (including smart contracts). Vote tallying takes place off-chain but ZKPs are submitted and verified on-chain, which guarantees votes are counted correctly without revealing the individual votes.
+|                       | In-person | Ethereum | Ethereum w/ ZK |
+| --------------------- | --------- | -------- | -------------- |
+| Correct execution     | 🤷‍♂️        | ✅       | ✅             |
+| Censorship resistance | 🤷‍♂️        | ✅       | ✅             |
+| Privacy               | 🤷‍♂️        | ❌       | ✅             |
+| Collusion resistance  | 🤷‍♂️        | ❌       | ✅             |
+This, in essence, is why MACI exists. By combining these technologies in novel ways, we believe we can achieve all the core security properties that a voting system must have.