WARNING: zkSigma is research code and should not be used with sensitive data. It definitely has bugs!
zkSigma is a library for generating non-interactive zero-knowledge proofs, also known as NIZKs. The proofs in zkSigma are based on Generalized Schnorr Proofs; they can be publicly verified and do not require any trusted setup.
Features:
Statements that can be proved:
A(=aG+uH) (Open)A(=aG) (GSPFS Proof)A(=xG) and B(=xH) and they are equal (Equivalence Proof)A or B (Disjunctive Proof)A and B is equal (Consistency Proof)a, b, and c in commitments A, B and C and a * b = c (ABC Proof)a and b in commitments A and B and a != b (InequalityProof is a special case of ABC Proof)Running the tests:
go test -debug1go test -rangeNotation:
a, b, c, x,...)u are randomly generated scalars (ua, ub, u1, u2, ...)ECPoint) (G, H, A, B,...)
G = Base Point of ZKCurve.CH = Secondary Base Point whose relation to G should not be knownA, B, CM, CMTok, etc, are usually of the form vG+uH unless otherwise statedsk and PK are always secret key and public key. sk is a randomly chosen scalar. PK = sk * HCM = Commitment of the form aG + uHCMTok = Commitment Token of the form ua * PKSigma Protocols : A three step protocol where a prover and verifier can exchange a commitment and a challenge in order to verify proof of knowledge behind the commitment. Simple explanation here.
Unifying Zero-Knowledge Proofs of Knowledge : This paper explains zero-knowledge proof of knowledge and provides the foundation on which all our proofs are built upon.
zkLedger : A privacy preserving distributed ledger that allows for verifiable auditing. The original motivation for creating zksigma.
Bulletproofs : A faster form of rangeproofs that only requires log(n) steps to verify that a commitment is within a given range. This might be integrated into this library in the future.
You cannot use zkSigma to prove general statements.