Mixers are crucial tools for restoring fungibility in digital tokens. In Ergo, ZeroJoin is the first such mechanism implemented. It's built on the principles of ring signatures and a proof of knowledge for a Diffie-Hellman tuple, defined as (for publicly known g, h, u, v, there exists w, such as g&w == u and hw == v).
ZeroJoin utilizes two-party interactions known as Σ-protocols. We focus on two distinct types of Σ-protocols as explained below.
G as a multiplicative group of prime order
q, where the Decision Diffie-Hellman (DDH) problem is hard.
The first protocol, termed as
proveDlog(u), is a proof of knowledge of the Discrete Logarithm of a specific group element
uin relation to a fixed generator
g. Essentially, the prover confirms the knowledge of
xsuch that u = gx, using Schnorr signatures.
The second protocol primitive, denoted as
proveDHTuple(g, h, u, v), shows proof of knowledge of a Diffie-Hellman Tuple. In this case, the prover confirms the knowledge of
xsuch that u = gx and v = hx for arbitrary generators
This second protocol essentially executes two instances of the first protocol simultaneously.
The protocol operates as follows:
- The prover randomly selects r from Zq, computes (t0, t1) = (gr , hr), and sends (t0, t1) to the verifier.
- The verifier randomly picks c from Zq and sends
cto the prover.
- The prover then forwards
z = r + cxto the verifier. The verifier accepts if gz equals t0 · uc and hz equals t1 · vc.
For non-interactive applications, we employ a variant of the protocol obtained through a Fiat-Shamir transformation. In this case, c equals H(t0‖t1‖m) for a specific message
m to be signed.
It's important to note that the verification of
proveDHTuple requires four exponentiations, while
proveDlog only needs two.
Both protocols are supported by ErgoScript, offering the essential components for implementing ZeroJoin.
For more details on ZeroJoin, please refer to the ZeroJoin Presentation.