WARNING: zkSigma is research code and should not be used with sensitive data. It definitely has bugs!
zkSigma is a library for generating non-interactive zero-knowledge proofs, also known as NIZKs. The proofs in zkSigma are based on Generalized Schnorr Proofs; they can be publicly verified and do not require any trusted setup.
Features:
Statements that can be proved:
A
(=aG+uH
) (Open)A
(=aG
) (GSPFS Proof)A
(=xG
) and B
(=xH
) and they are equal (Equivalence Proof)A
or B
(Disjunctive Proof)A
and B
is equal (Consistency Proof)a
, b
, and c
in commitments A
, B
and C
and a * b = c
(ABC Proof)a
and b
in commitments A
and B
and a != b
(InequalityProof is a special case of ABC Proof)Running the tests:
go test -debug1
go test -range
Notation:
a
, b
, c
, x
,...)u
are randomly generated scalars (ua
, ub
, u1
, u2
, ...)ECPoint
) (G
, H
, A
, B
,...)
G
= Base Point of ZKCurve.C
H
= Secondary Base Point whose relation to G
should not be knownA
, B
, CM
, CMTok
, etc, are usually of the form vG+uH
unless otherwise statedsk
and PK
are always secret key and public key. sk
is a randomly chosen scalar. PK = sk * H
CM
= Commitment of the form aG + uH
CMTok
= Commitment Token of the form ua * PK
Sigma Protocols : A three step protocol where a prover and verifier can exchange a commitment and a challenge in order to verify proof of knowledge behind the commitment. Simple explanation here.
Unifying Zero-Knowledge Proofs of Knowledge : This paper explains zero-knowledge proof of knowledge and provides the foundation on which all our proofs are built upon.
zkLedger : A privacy preserving distributed ledger that allows for verifiable auditing. The original motivation for creating zksigma.
Bulletproofs : A faster form of rangeproofs that only requires log(n) steps to verify that a commitment is within a given range. This might be integrated into this library in the future.
You cannot use zkSigma to prove general statements.