Sigma Protocols#
Introduction#
ErgoScript incorporates proving and verifying as first-class primitives, giving developers access to a subclass of cryptographic proof systems known as non-interactive Σ-protocols (pronounced “sigma-protocols”). A script protecting a transaction output can contain statements (Σ-statements) that need to be proven (by producing Σ-proofs) to spend the output.
Conceptually, Σ-proofs are generalizations of digital signatures. The Schnorr signature scheme (whose more recent version is popularly known as EdDSA) is the canonical example of a Σ-proof: it proves that the recipient knows the discrete logarithm of the public key (the proof is attached to a specific message, such as a particular transaction, and thus becomes a signature on the message; all Σ-proofs described here are attached to specific messages).
ErgoScript provides two elementary Σ-protocols over a group of prime order (such as an elliptic curve)
- A proof of knowledge of discrete logarithm with respect to a fixed group generator: (Also known as a Schnorr signature).
- A proof that of equality of discrete logarithms (i.e., a proof of a Diffie-Hellman tuple)
Σ-protocols exist for proving a variety of properties and, importantly for ErgoScript, elementary Σ-protocols can be combined into more sophisticated ones using the techniques described in 'Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols'.
For an introduction to Σ-protocols, we refer the reader to the paper 'On Σ-protocols'.
ErgoScript also provides the ability to build more sophisticated Σ-protocols by using connectives AND, OR, and THRESHOLD (also known as k-out-of-n). Crucially, the proof for an OR and a THRESHOLD connective does not reveal which of the relevant values the prover knows.
Composability#
Sigma Protocols are the foundation of Ergo’s smart contracts, one of the great things about them is that they are composable, using simple AND/OR logic.
So you can ask for a signature with the following statement:
‘Prove to me knowledge of either this secret OR that secret’ (this is a one-of-two ring signature).
Or you can ask,
‘Prove to me knowledge of any two of these three secrets’ (a two-of-three ring signature).
Use Cases#
When combined with a blockchain, these composable proofs enable some very powerful use cases and enable us to implement sophisticated tasks that would otherwise be impossible, risky, or expensive on other platforms.
Let's say you want to create a ring spending contract, where either of us can make a transaction from the same address, but we don't want anyone else to know which one of us is spending the funds. That's not possible with Bitcoin, and while Ethereum can, it would be expensive and complicated – especially with a ring size of 10 or 20 members, required for robust privacy.
The logic for proofs can also include conditions based on blockchain state. For example, ‘If the deadline block height has been reached, Alice can provide knowledge of a secret key for a refund. OR a ring signature from Alice and Bob is required to spend coins.’ Or ‘If this account holds a minimum of 100 ERG, Alice OR Bob can remove funds above that amount.’
With Ergo, this kind of application can be created quickly, thanks to native Sigma protocols, enabling trustless scripts that can be used to access mixers or other functionality without any third parties required and fully self-sovereign application-level privacy.
Resources#
Videos#
Applications#
- ErgoMixer is a state of the art (and worlds first) non-interactive and non-custodial token mixer.
- Sigmajoin is a composable off chain implementation of ErgoMixer. Documentation Original forum posts for Outsourceable mix & Stealth transfer
DarkFund0#
- DarkFund0 - ZK Fund for privacy applications sponsors new developments in regards to privacy and private DeFi. 4000 ERG up for grabs!