Skip to content


Diffie-Hellman generates a shared secret between two people so that the secret cannot be seen by observing the communication. That is an important distinction:

You are not sharing information during the key exchange. You are creating a key together. This is useful for creating shared public keys in MultiSig and Ring Signature settings.

Diffie-Hellman Tuple#

Let g, h, u, v be public group elements.

The prover proves knowledge of x such that u = gx and v = hx

  1. The prover picks r ←R Zq, computes (t0, t1) = (gr , hr) and sends (t0, t1) to the verifier.
  2. The verifier picks c ←R Zq and sends c to prover.
  3. The prover sends z = r + cx to the verifier, who accepts if gz = t0 · uc and hz = t1 · vc.

Fiat-Shamir Transformation#

You can obtain a non-interactive variant of the above protocol via a Fiat-Shamir transformation, where c = H(t0‖t1‖m) (for some message m to be signed).

We call this proveDHTTuple(g, h, u, v)



The security of ZeroJoin is based on the Decision Diffie-Hellman (DDH) assumption, a computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups.

  • A basic tool to restore the fungibility of digital notes.
  • Basic scheme, ZeroJoin, is based on ring signatures and proof of knowledge for a Diffie-Hellman tuple
  • Paper with contracts
Bitcoin Ethereum Ergo
No onchain mixing Trusted setup-based or inefficient Efficient, minimal trust assumptions

Stealth Addresses#

Another solution for improving privacy is using stealth addresses. A stealth address preserves recipient privacy without per-transaction interaction needed (so the receiver publishes an address, e.g. on its website, and then the sender can obtain some unique one-time address from it.

A solution in Ergo can be based on a non-interactive Diffie-Hellman key exchange.

  • So a merchant, for example, is publishing its public key gx corresponding to the secret x.
  • Then the buyer with public key gy obtains shared secret (gx)y = (gy)x
  • The box created by the buyer could be protected by ProveDLog(gxy for generator gy).
  • Unfortunately, Ergo ProveDLog in Ergo does not support custom generators, but it can be bypassed with a little Ergo magic: proveDHTuple(gy, gy, gxy, gxy). The buyer can use a one-time secret grfor one-time keys.
Bitcoin Ethereum Ergo
- - Efficient

Some draft contracts are available.