(sorry for crossposting this message; it was initially shared with the commit-and-prove working group, but nobody can access it outside the group.)
Following the discussions during «Commit-and-Prove Zero-Knowledge Proof Systems» from Matteo Campanelli and «Zero-Knowledge Proofs for Constructing Protocols» from Jan Camenish, I’d like to open a thread to see what’s the general feeling for standardizing sigma protocols.
Concretely, I’m thinking about the formalization of Camenisch-Stadler and [Boneh-Schoup, Chap. 19].
I am aware that there are more involved sigma protocols that have better asymptotics in particular scenarios (e.g. for instance [GK14]); but it’d rather stay with these simpler ones for now.
Sigma protocols are simple, mature and pretty powerful; I think they deserve a place in this general standardization effort for proving in zk knowledge of a dlog, one-of-many dlogs, discrete log equality, that a triple is a DDH tuple, proving knowledge of multiple dlogs simultaneously, and more generally (simple) relations on committed values.
What’s your feeling on this? Perhaps we can use the hearts to test the general vibe?
As a first step, I’m listing the current use-cases and implementations, in the hope that they will help better understand the context and scoping the proposal.
some VOPRFs, they use DLEQ:
anonymous credentials; (at least) AND+DLEQ;
- Signal, who’s been using Algebraic MACs for group chats;
- Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers;
Ring Signatures; OR(+AND):
openings on Pedersen commitments, or plaintexts of ElGamal encryptions; DH tuple:
your use-case here
A lot of works were blatantly stolen from the already-made comparisons of Lueks, Kulynych, Fasquelle,Le Bail-Collet,Troncoso. So… yeah, thanks!