Introduction
Cryptography can often feel inaccessible, partly because modern cryptography is based on some highly advanced math. Ultimately, though, we all understand the basic idea: using a secret code to ensure that no one can read a message unless they have the right key.
Cryptography underpins all blockchains, but some blockchains offer privacy features that rely on additional cryptographic processes. There are many ways to achieve on-chain privacy, and to deliver confidential transactions of different kinds.
In Ergo's case, a special class of cryptographic proofs is used, known as Sigma Protocols. Below, we'll take a high-level look at what they are, how they work, and why they offer such powerful privacy functionality for Ergo's users.
Why Zero-Knowledge Proofs Matter
Sigma Protocols are a special type of zero-knowledge proofs. A zero-knowledge proof allows you to prove something without revealing the nature of the underlying piece of information.
Bike Lock Analogy
An everyday analogy is a number combination lock used to secure a bike. You can prove the bike is yours by entering the correct combination. No one watching needs to see the number itself: the proof is the fact that the bike has been released.
Phone Unlock
Proving a mobile phone is yours by entering the correct pin code or unlocking it with your fingerprint is another example. The unlock proves ownership without revealing the PIN.
The Dice Example
You want to prove to an observer that the number rolled on a dice is larger than 3, without revealing what the number actually is.
- 1. Cover the numbers 4, 5, and 6 with stickers
- 2. Roll the dice in front of the observer
- 3. If a sticker shows up, it proves the number is >3
- 4. Observer can check faces 1, 2, 3 are uncovered
- 5. You remove the sticker in secret later
Zero-knowledge proofs have lots of real-world privacy-preserving applications. For example, you might want to prove you are over 18, without revealing your actual date of birth or other sensitive information.
They are also used by some cryptocurrencies. Privacy coin ZCash uses ZKPs to enable privacy in blockchain transactions. Users can prove a transaction is legitimate (for example, that they have a large enough balance, and that the addresses are valid) without revealing the actual amount, or the sender/recipient.
Ergo's Sigma Protocols are one way of implementing zero-knowledge proofs, but they hold additional advantages beyond the ZKPs used by ZCash and other similar cryptocurrencies.
What Exactly Are Sigma Protocols?
Sigma Protocols are a special class of composable zero-knowledge proofs. As well as being used to prove information without revealing sensitive data, they can be customized to create special conditions.
The Three-Step Dance
A Sigma Protocol involves a three-step interaction: a commitment, challenge, and response. Here's a simple card example:
Sigma Protocols allow a user to prove knowledge of a secret, without revealing the secret itself. But there's much more to them than that. A key benefit of Sigma Protocols is that they are composable: they can be combined like building blocks, stringing together a series of proofs, still without revealing sensitive information.
The "Lego Block" Approach
You can take two or more proofs, and link them using logical connectors like AND, OR, etc. For example, you could create a proof that shows you know the private key to Address A OR Address B.
Threshold Signatures
Prove 3 of 5 parties approved without revealing which 3
Confidential Voting
Prove token ownership and voting eligibility privately
Private DeFi
Prove sufficient collateral without revealing holdings
Sigma Protocols are also lightweight, making them ideal for blockchain use, where on-chain data storage is expensive. (The size of conventional zero-knowledge proofs limits the throughput of ZCash.)
From Interactive to Non-Interactive Proofs
So-called "interactive" proofs require this kind of back-and-forth between prover and verifier – the commit/challenge/response cycle. While this offers a high degree of flexibility and is useful for many applications, it is not always practical. When the verifier is the whole blockchain network, with hundreds or thousands of nodes, everything must be verifiable from a single transaction.
Fiat-Shamir Transformation
This is achieved using a technique known as a Fiat-Shamir Transformation. Instead of the verifier asking for a random challenge, the challenge is derived from the commitment, using a hash (a kind of unique cryptographic fingerprint) and included with the response.
Result: The prover can include everything in a single, self-contained message. Anyone can check the challenge, because it is based on the commitment.
This allows the prover to include everything in a single, self-contained message. This doesn't work for cases where the verifier wants to choose what information is to be proved, but it is a simple and efficient way to prove specific aspects of a piece of data. This is how Ergo turns Sigma Protocols into non-interactive zero-knowledge (NIZK) proofs.
NIZKs are useful for many popular applications. A user can prove that an on-chain vote is valid, without revealing their identity or choice. In the context of anonymizing coins (ErgoMixer), they can prove that they made a deposit of a certain amount, without revealing the originating address. You can even prove that a smart contract executed properly, despite using private inputs.
Programmable Privacy: How Ergo Uses Sigma Protocols
Ergo's unique Sigma Protocols layer enables flexible and confidential smart contracts. While first-generation privacy coins like ZCash, Dash, and Monero offer private transfers, Ergo allows Programmable Privacy.
Using Sigma Protocols, developers can build a wide range of cryptographic solutions, including ring signatures, multi-sig addresses, zero-knowledge mixers, and dApps based on these. Unlike ZCash and Monero, Ergo's approach is lightweight and scalable, ensuring a sustainable future for private applications on the network.
Optional Privacy
Privacy is optional, rather than "always on". Users and developers can benefit from the transparency of the public blockchain where they want, but implement robust privacy where they need to.
Auditable Proofs
The proofs are auditable. Users can selectively disclose information about private transactions, as required. This is vital for compliance and institutional adoption.
This makes the Ergo blockchain an incredibly powerful toolkit for builders. For blockchain technology to become widely adopted, and to ensure maximum possible utility, we need both privacy and compliance.
Sigma Protocols Vs Other Privacy Tech
Ergo offers a different approach to other privacy coins on the market, thanks to Sigma Protocols' unique combination of properties.
| Feature | ZCash | Monero | Dash | Ergo |
|---|---|---|---|---|
| Trusted Setup | Required | Not needed | Not needed | Not needed |
| Lightweight | Heavy | Moderate | Light | Light |
| Optional Privacy | Yes | Always-on | Yes | Yes |
| Selective Disclosure | Possible | Limited | No | Full support |
| Composable | Limited | No | No | Fully composable |
Key Takeaway: Monero (ring signatures), Dash (CoinJoin mixing), and ZCash (zero-knowledge proofs) all provide a degree of privacy, but only Ergo offers flexible, auditable privacy without the overhead of heavy cryptographic circuits.
Ergo And The Future Of Accessible Privacy
Privacy has become the single most important trend in the blockchain space. Individuals are increasingly demanding privacy, against a backdrop of increasingly intrusive financial surveillance, and institutions cannot adopt blockchain at scale without ensuring compliance with data protection laws and protections against industrial espionage.
Ergo's Sigma Protocols offer programmable privacy: flexible, composable proofs that can be used as primitives for blockchain and DeFi operations. Importantly, they enable both robust privacy and the ability to selectively disclose transaction information where required – offering the ideal combination of confidentiality and compliance.
Find out more about Sigma Protocols and start building privacy-focused dApps by checking out Ergo's documentation.