The problem Katz solves

Katz lets you vote for your favorite candidate with greater anonymity. By leveraging recursive proofs with o1js and using Mina to settle the election results on-chain, your vote is kept private from the rest of the public while the overall election results can be known by anyone.

Challenges I ran into

At first, as I struggled with recursive proofs in o1js I started with a simple Mina smart contract that doesn't use any recursive proof so that I could use it as a base for the web app that I developed for the project. I was also constrained by the limit of 8 state fields of on-chain storage of Mina, so I played strictly within this limit in this smart contract without relying on any off-chain storage (by using Merkle tree which adds some complexity). With this in mind, I managed to quickly deploy the smart contract on Berkeley and connect the web app to it, so has to have a fully working prototype of the UI.

The solution is only partial at this moment, a system of permissions should be added to the smart contract to constrain who has the right to edit the election details.

Keeping the vote private using ZK is no small feat, as such this current implementation is only what I would call semi-private. Since the vote aggregator must know the votes and the public key of the voters to calculate the state transition and generate its proof, the voters' decisions are then known to him or her. Therefore, some amount of trust rests upon the aggregator. The proof still guarantees that the state transition is correct but the aggregator should be trusted not to leak the votes to the public. One way to remediate it could be by removing the registration of the voters, which makes the identity behind the public keys easier to discover for the aggregator, and then replacing this constraint with proof of personhood. Essentially just allow anyone who can prove is a human to vote. Less restrictive but the public keys used become much more anonymous. Another more comprehensive alternative solution would be to use additive homomorphic encryption (as only this operation is necessary for our purpose) to add up the votes but still keep them fully private. However, this raises the question of who holds the encryption key or keys if we end up dividing and giving it up to multiple parties.