SNARVs: Succinct Non-Interactive Arguments of Voting – protocols for cost-effective, off-chain e-voting.

2022-11-25 by Vincenzo Iovino and Matan Prasma.

Currently, voting protocols for DAOs are carried out without any privacy, that is, the preference of each voter is publicly visible to everybody. Moreover, to tally the result, a large amount of gas is consumed on the Ethereum network. To address this problem, Aragon’s ZK-research team has developed OVOTE\({}^{(1)}\) as a solution to minimise gas consumption on-chain. This is done by moving the voting procedure off-chain and verifieng the result using an on-chain SNARK proof. General-purpose SNARKs like the one of \(\text{Groth}^{(2)}\), allow the proof to be verified in constant time, precisely using \(3\) pairings and \(t\) exponentiations where \(t\) is the number of elements of the public statement.


In an upcoming paper\(^{(3)}\) we propose a general model that encompasses both anonymous and non-anonymous e-voting, which we call Succinct Non-Interactive Arguments of Voting (SNARV). Both OVOTE and two new protocols, BatRaVot and SchnorrVot, on which we’ll ellaborate in a subsequent post, can be seen as special cases of SNARV.

A SNARV is comprised of the following algorithms.


For security, we require that no adversary is able to forge a proof for e.g., a number of YES strictly greater than the number of observed signatures for a given election.

More formally, we define a strong soundness experiment for a given SNARV. During the experiment, an adversary can corrupt voters getting their secret-keys or controlling the generation of their public-keys. For any integer \(n\), a set \(C\subsetneq [n]\) and a list of \(n-|C|\) elements \(\{SK_i\}_{i\in [n]-C}\), we assume to have a VoteOracle algorithm (for non-corrupted users) \(VO_{(\left\{SK_i\right\}_{i\in [n]-C},[n]-C)}(\cdot,\cdot,\cdot)\) that, on input \((id,v,i)\), outputs \(Vote(id,v,SK_i)\) if \(v\in\left\{0,1\right\}\) and \(i\in [n]-C\) and ERROR otherwise.

Consider the following strong soundness experiment parameterized by an integer \(n\), a security parameter \(\lambda\), a SNARV \(%(Gen,Setup,Vote,BalVerify,Prov,Ver,PKVerify)\) and an efficient adversary \(A := \left\{A_\lambda\right\}_\lambda\).

  1. Parameters Generation Phase. We sample a random string of \(\lambda\) bits, \(s\leftarrow \left\{0,1 \right\}^\lambda\) and generate the public prameters \(\textit{pp} \leftarrow Gen(1^\lambda;s).\)

  2. Corruption Phase. The adversary \(A\) chooses a set of “corrupted users” \(C\leftarrow A(s)\) such that \(C \subsetneq [n]\).

  3. Setup Phase. We generate public- and secret-keys for all non-corrupted users: \(\forall i\in[n]-C\), \((PK_i,SK_i)_{i\in [n]-C}\leftarrow Setup(1^\lambda)\).

  4. Voting Phase. The adversary \(A\) is allowed to query VoteOracle to produce verifiable Ballots for any non-corrupted user. Then, \(A\) is required to output an election result \((id,m_0,m_1)\) together with a proof \(\pi\) of its correctness and the list of PKs for the corrupted users it has chosen in the start. \((id,m_0,m_1,S_0,S_1,\pi,\left\{PK_i\right\}_{i\in C})\leftarrow\) \(\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;A^{VO_{(\left\{SK_i\right\}_{i\in [n]-C},[n]-C)}(\cdot,\cdot,\cdot)} (\left\{ PK_i \right\}_{i\in [n]-C}).\) Using the PKs from the setup algorithm together with the PKs of the corrupted users that \(A\) provided, a census \(r\) is created. \(r\leftarrow Census(PK_1,...,PK_n)\).

  5. Winning Conditions. For any \(v\in \left\{0,1\right\}\), let \(S_v^q\subseteq [n]\) be such that \(i\in S_v^q\) iff \(A\) asked the query \((id,v,i)\) to VoteOracle. The output of the experiment is \(1\) (\(A\) wins) iff all the following conditions hold:

A SNARV satisfies strong soundness if for all efficient adversaries \(A\), the probability that \(A\) wins in the strong soundness experiment is a negligible function of the security parameter \(\lambda\).

With this mind, we prove

\(\underline{Theorem}:\) Under the Computational Diffie-Hellman assumption, our SNARV protocols BatRaVot and SchnorrVot satisfy strong soundness.


Our new model SNARV serves as a general framework for e-voting protocols. OVOTE and two other voting protocols BatRaVot and SchnorrVot are examples of SNARVs and one can reason about security of these protocols in a unified way.

Furthermore, as we will explain in an upcoming post, BatRaVot and SchnorrVot improve on the gas cost compared to OVOTE when the number of voters is not to large, and offer additional security guarantees.

Stay tuned!

(A short version of the document is accessible ).


(1) Arnaucube, Pau Escrich, Roger Baig, and Alex Kampa. Ovote (v0.5) : Off-chain voting with on-chain trustless execution. 2022.

(2) Jens Groth. On the size of pairing-based non-interactive arguments. 2016.

(3) Vincenzo Iovino, Alex Kampa and Matan Prasma. SNARV: Succinct Non-Interactive Arguments of Voting (in preparation).

Go to main