Exploring ZeroJoin#
ZeroJoin is a privacycentric mechanism designed for the Ergo blockchain, providing users with the ability to restore fungibility to digital tokens through anonymous transactions. Leveraging Sigma protocols and cryptographic techniques such as ring signatures and DiffieHellman Tuples, ZeroJoin is built to obfuscate the transaction trail, ensuring privacy and security.
How ZeroJoin Works#
ZeroJoin’s core functionality is based on cryptographic proofs that allow participants to mix their tokens with those of others, effectively breaking the link between the sender and receiver. This makes it much harder to trace individual transactions, increasing privacy. ZeroJoin accomplishes this through the use of two key Σprotocols (Sigma protocols):

ProveDlog(u): A proof of knowledge of the Discrete Logarithm of a group element \( u \) in relation to a fixed generator \( g \). The prover demonstrates knowledge of a secret \( x \), where \( u = g^x \), without revealing \( x \). This is closely related to the cryptographic principles behind Schnorr signatures.

ProveDHTuple(g, h, u, v): A proof of knowledge of a DiffieHellman tuple. The prover demonstrates knowledge of \( x \), where \( u = g^x \) and \( v = h^x \) for arbitrary generators \( g \) and \( h \), again without revealing \( x \). This is a more complex protocol that combines two instances of ProveDlog.
These two protocols allow for the anonymous mixing of tokens by ensuring that participants can prove ownership and control over their tokens without revealing their identities.
StepbyStep Process#
The ZeroJoin process operates as follows:

Commitment: The prover generates a random value \( r \) and computes \( t_0 = g^r \) and \( t_1 = h^r \). These values are sent as the prover's commitment to the verifier.

Challenge: The verifier generates a random challenge \( c \) and sends it to the prover.

Response: The prover calculates \( z = r + cx \) and sends \( z \) to the verifier.

Verification: The verifier checks that \( g^z = t_0 \cdot u^c \) and \( h^z = t_1 \cdot v^c \). If both checks hold true, the verifier accepts the proof.
For noninteractive applications, the challenge \( c \) is computed using the FiatShamir transformation, which makes the protocol noninteractive by deriving the challenge as a hash of the commitment and other public data.
Privacy in ZeroJoin#
The privacy in ZeroJoin is achieved by combining multiple users' transactions in a single mixing pool. This mixing breaks the link between a particular input and output, making it difficult for an observer to trace a transaction back to its origin. The core idea of mixing is that the more participants there are in the pool, the harder it becomes to identify the sender and receiver of any specific transaction.
However, mixing privacy is only as strong as the anonymity set. A small set of participants may not provide significant privacy guarantees, which is why increasing the number of participants in a mix improves the overall anonymity and obfuscation.
Cryptographic Foundations#
DiffieHellman Tuples in ZeroJoin#
One of the core cryptographic tools in ZeroJoin is the use of DiffieHellman tuples. This allows for the generation of shared secrets between participants without ever revealing the secret itself. The security of the protocol rests on the Decision DiffieHellman (DDH) assumption, which states that given a tuple of group elements \( (g, g^x, h, h^x) \), it is computationally hard to distinguish it from a random tuple unless one knows \( x \).
In the context of ZeroJoin, this property is used to ensure that participants can prove they have the right to spend tokens without revealing their private keys or transaction details. The ProveDHTuple protocol ensures that two parties can generate a shared key and prove its validity without ever exchanging the private key.
Ring Signatures#
ZeroJoin also incorporates ring signatures, a cryptographic method that allows a user to sign a message on behalf of a group without revealing which specific member of the group signed the message. This is used to further enhance privacy, as it enables participants to mix their transactions with those of others, making it impossible to determine which specific individual authorized the transaction.
In ZeroJoin, ring signatures are essential for ensuring that even if a participant mixes their funds, they cannot be singled out as the originator of the transaction. By pooling transactions together in a ring, every participant shares the same level of anonymity.
NonInteractive Mixing#
ZeroJoin employs noninteractive mixing, which means that users do not need to coordinate with each other directly to participate in a mixing session. Instead, the mixing process can be conducted asynchronously, allowing users to submit their funds to the mixing pool at different times and still benefit from the privacy protections offered by ZeroJoin.
This noninteractive model is enabled through the FiatShamir transformation, which transforms the interactive Sigma protocol into a noninteractive version by using hash functions to simulate the verifier's challenge. This ensures that users can prove they are part of the mix without requiring realtime interaction, which reduces the complexity of coordinating a mixing session and increases usability.
Enhanced Privacy: ZeroJoin and Covert Stealth Transactions#
Though ZeroJoin focuses on providing private and anonymous transactions through mixing, its effectiveness can be greatly enhanced when combined with Stealth Addresses and Covert Addresses. These features, introduced by ErgoMixer, ensure that both sender and receiver identities remain concealed, making it nearly impossible to trace transactions on the Ergo blockchain.

Stealth Addresses generate unique onetime addresses for each transaction. Even if a user repeatedly mixes tokens using ZeroJoin, linking these transactions back to the same individual becomes nearly impossible when Stealth Addresses are used. This is achieved through noninteractive cryptographic procedures, such as DiffieHellman key exchanges, allowing the recipient to derive the unique address for each transaction while maintaining privacy.

Covert Addresses serve as pseudonymous addresses, obscuring the user’s real wallet. These are especially useful when users publicly share their address but want to avoid revealing their true identity to onlookers. In ZeroJoin, covert addresses further obfuscate the transaction trail.
Conclusion#
ZeroJoin is a powerful privacy tool on the Ergo blockchain, leveraging advanced cryptographic techniques such as Sigma protocols, DiffieHellman tuples, and ring signatures to provide robust, noncustodial mixing of tokens. The noninteractive nature of ZeroJoin makes it userfriendly, allowing participants to mix their funds without requiring direct coordination with others.
When paired with Stealth Addresses and Covert Addresses, ZeroJoin becomes a comprehensive solution for achieving transactional privacy on the Ergo blockchain. It ensures that both senders and receivers remain anonymous, offering enhanced privacy guarantees compared to traditional cryptocurrency mixing mechanisms.
For more technical details and implementations, please refer to the ZeroJoin technical presentation and the ErgoMixer GitHub repository.