WARNING: zkSigma is research code and should not be used with sensitive data. It definitely has bugs!
zkSigma is a library for generating non-interactive zero-knowledge proofs, also known as NIZKs. The proofs in zkSigma are based on Generalized Schnorr Proofs; they can be publicly verified and do not require any trusted setup.
Features:
- Generating non-interactive zero-knowledge proofs for various logical statements
- Simplified elliptic curve operations
- Plug and Play API
- Built in serialization and deserialization of proofs
Statements that can be proved:
- I can open a Pedersen Commitment
A(=aG+uH) (Open) - I know the discrete log of a commitment
A(=aG) (GSPFS Proof) - I know the discrete log of commitments
A(=xG) andB(=xH) and they are equal (Equivalence Proof) - I know the discrete log of either commitment
AorB(Disjunctive Proof) - I know that the blinding factor of commitments
AandBis equal (Consistency Proof) - I know
a,b, andcin commitmentsA,BandCanda * b = c(ABC Proof) - I know
aandbin commitmentsAandBanda != b(InequalityProof is a special case of ABC Proof)
Running the tests:
- Will show debugging messages, good for debugging a proof that is not generating or verifying
go test -debug1
- Run rangeproof tests (default: off)
go test -range
Notation:
- lower case letters are scalars (
a,b,c,x,...) - lower case letters starting with
uare randomly generated scalars (ua,ub,u1,u2, ...) - upper case letters are always elliptic curve points (type
ECPoint) (G,H,A,B,...)G= Base Point ofZKCurve.CH= Secondary Base Point whose relation toGshould not be knownA,B,CM,CMTok, etc, are usually of the formvG+uHunless otherwise stated
skandPKare always secret key and public key.skis a randomly chosen scalar.PK = sk * HCM= Commitment of the formaG + uHCMTok= Commitment Token of the formua * PK
Sigma Protocols : A three step protocol where a prover and verifier can exchange a commitment and a challenge in order to verify proof of knowledge behind the commitment. Simple explanation here.
Unifying Zero-Knowledge Proofs of Knowledge : This paper explains zero-knowledge proof of knowledge and provides the foundation on which all our proofs are built upon.
zkLedger : A privacy preserving distributed ledger that allows for verifiable auditing. The original motivation for creating zksigma.
Bulletproofs : A faster form of rangeproofs that only requires log(n) steps to verify that a commitment is within a given range. This might be integrated into this library in the future.
You cannot use zkSigma to prove general statements.