Skip to content


Diffie-Hellman generates a shared secret between two people so that the secret cannot be seen by observing the communication. That is an important distinction:

You are not sharing information during the key exchange. You are creating a key together. This is useful for creating shared public keys in MultiSig and Ring Signature settings.

Diffie-Hellman Tuple#

Let g, h, u, v be public group elements.

The prover proves knowledge of x such that u = gx and v = hx

  1. The prover picks r โ†R Zq, computes (t0, t1) = (gr , hr) and sends (t0, t1) to the verifier.
  2. The verifier picks c โ†R Zq and sends c to prover.
  3. The prover sends z = r + cx to the verifier, who accepts if gz = t0 ยท uc and hz = t1 ยท vc.

Fiat-Shamir Transformation#

You can obtain a non-interactive variant of the above protocol via a Fiat-Shamir transformation, where c = H(t0โ€–t1โ€–m) (for some message m to be signed).

We call this proveDHTTuple(g, h, u, v)



The security of ZeroJoin is based on the Decision Diffie-Hellman (DDH) assumption, a computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups.

  • A basic tool to restore the fungibility of digital notes.
  • Basic scheme, ZeroJoin, is based on ring signatures and proof of knowledge for a Diffie-Hellman tuple
  • Paper with contracts
Bitcoin Ethereum Ergo
No onchain mixing Trusted setup-based or inefficient Efficient, minimal trust assumptions

See ErgoMixer for more information.

Stealth Addresses#

Stealth Addresses are crafted to ensure recipient privacy during transactions. Leveraging a non-interactive Diffie-Hellman key exchange, they facilitate the creation of distinct one-time addresses for every transaction. While enabling recipients to securely receive funds, the linkage between the transactions and their original public address remains concealed, thereby significantly enhancing the recipient's privacy throughout the transactions.

See the Stealth Addresses page for more information.