Semaphore: the unsung hero behind Zuzalu Pass and Worldcoin

(originally posted on substack)

I have been enjoying living in the Crypto + AI + Longevity + Synthetic Bio+ Philosophy co-living experience called Zuzalu from April to May. Every resident was given a ZuPass (credits: Vivek, Gubsheep, Ivan, and Jon Ying), which is your credential for online/onchain/IRL accesses. ZuPass looks like this on your phone:

It looks exactly like your wallet app, except it can act as your onchain identity as well. Zuzalu residents use ZuPass to join online/IRL events, express their opinions anonymously on the program, and receive artistically crated NFTs. For example, I joined the Zuzalu hackathon so I received a “Zuzalu Hacker” NFT.

Recently a Proof of Personhood Protocol, worldcoin, launched their main net on Ethereum L2 Optimism. They use offchain iris scaners, a.k.a. the Orbs, to verify participants’ personhood and then create a wallet (World ID) for every verified human (see Vitalik’s writeup of Worldcoin here). My world id looks like this:

WTF is Semaphore?

One sentence:

Semaphore is your anonymous identity vault on Ethereum

When interacting with blockchain, you need to create an account, this account needs a secret key so that only you can sign the transaction. This secret key also is associated with a public addresses (sometimes people call it public key) as your public identifier. When you issue and sign a transaction, people can check the validity of the transactions by checking the signature against your public key.

This works great, except every single transaction you signed is now associated with your public key. No matter this transaction is for transferring ETH, onchain governance or even just signing in a night club at Zuzalu (If Zuzalu uses your ETH address as your identity, but Zuzalu organizer is smarter than that).

So how can we have an anonymous identity solution? Semaphore addresses this problem using zero-knowledge proofs. And more precisely, a semaphore proof’s statement consists of two parts:

1. a membership proof: proof that a particular identity commitment (commitment of your secret key, in semaphore term, trapdoor) is a part of predefined group. And the group is implemented as a merkle tree on chain. For example, if you want to join Verbs DAO, Verbs DAO need to add your identity commitment to the merkle tree.

2. a deterministic nullifier: a nullifying scheme to prevent a semaphore group member signaling more than expected numbers. For example, if we use semaphore in private vote, we need to limit each group member vote only once. However, we cannot enforce that onchain like the public voting scheme using Ethereum account, since the membership proof is anonymous! Now the idea is every semaphore member can create a event specific, deterministic and anonymous nullifier. The original nullifier design allows you to join the event exactly once. But people generalized the design to a scheme called Rate Limiting Nullifier.

Above picture is a simplified version of Semaphore (I removed the identify nullifier part for simplicity).

Semaphore use cases

Semaphore can be used in many use cases where the anonymous identity is needed, below is a list of incomplete use cases:

• Private Voting: we can use semaphore to create private voting applications. For example, Zuzalu residents can vote anonymously on the important governance manners such as where to host the farewell parties and who should be invited to the next Zuzalu

• Anonymous social: people can express their opinions anonymously with membership proof and rate limiting

• Private Defi: In fact, you could create Tornado.Cash very easily using Semaphore (without writing your own circuit).

Besides ZuPass and Worldcoin, there are projects such as UniRep, Interep and ZK3 who are using Semaphore.

What is the limitations of Semaphore?

Semaphore is an evolving protocol. The Semaphore team has built not only the zero-knowledge proof circuits, but also the infrastructures such as SDK, block explorer, group management tools around it. In my view, the current semaphore protocol (V3) has the following limitations:

• Expensive onchain verification cost: it is still relatively expensive to verify a semaphore proof onchain. This may not be the fault of the semaphore designer, however, around 200 K - 300 K onchain verification gas cost prevents semaphore from massive adoptions.

• Not reusing existing identities: one of the biggest UX issue of semaphore is that it is not compatible with existing account/identity systems such as EOA accounts and account abstraction wallets such as Gnosis SAFE and ENS.

• Requiring trusted setup: despite the trusted setup only need to be done once per circuit version, it is still good if we can remove the trusted setup requirement so that the semaphore protocol can be evolved more quickly.