Diffie#
Diffie-Hellman generates a shared secret between two people so that the secret cannot be seen by observing the communication. That is an important distinction:
You are not sharing information during the key exchange. You are creating a key together. This is useful for creating shared public keys in MultiSig and Ring Signature settings.
Diffie-Hellman Tuple#
Let g, h, u, v be public group elements.
The prover proves knowledge of x such that u = gx and v = hx
- The prover picks r ←R Zq, computes (t0, t1) = (gr , hr) and sends (t0, t1) to the verifier.
- The verifier picks c ←R Zq and sends c to prover.
- The prover sends z = r + cx to the verifier, who accepts if gz = t0 · uc and hz = t1 · vc.
Fiat-Shamir Transformation#
You can obtain a non-interactive variant of the above protocol via a Fiat-Shamir transformation, where c = H(t0‖t1‖m) (for some message m to be signed).
We call this proveDHTTuple(g, h, u, v)
Uses#
Mixers#
The security of ZeroJoin is based on the Decision Diffie-Hellman (DDH) assumption, a computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups.
- A basic tool to restore the fungibility of digital notes.
- Basic scheme, ZeroJoin, is based on ring signatures and proof of knowledge for a Diffie-Hellman tuple
- Paper with contracts
| Bitcoin | Ethereum | Ergo |
|---|---|---|
| No onchain mixing | Trusted setup-based or inefficient | Efficient, minimal trust assumptions |
Stealth Addresses#
Another solution for improving privacy is using stealth addresses. A stealth address preserves recipient privacy without per-transaction interaction needed (so the receiver publishes an address, e.g. on its website, and then the sender can obtain some unique one-time address from it.
A solution in Ergo can be based on a non-interactive Diffie-Hellman key exchange.
- So a merchant, for example, is publishing its public key gx corresponding to the secret x.
- Then the buyer with public key gy obtains shared secret (gx)y = (gy)x
- The box created by the buyer could be protected by ProveDLog(gxy for generator gy).
- Unfortunately, Ergo ProveDLog in Ergo does not support custom generators, but it can be bypassed with a little Ergo magic: proveDHTuple(gy, gy, gxy, gxy). The buyer can use a one-time secret grfor one-time keys.
| Bitcoin | Ethereum | Ergo |
|---|---|---|
| - | - | Efficient |
Some draft contracts are available.