Hello there,
(sorry for crossposting this message; it was initially shared with the commitandprove working group, but nobody can access it outside the group.)
Following the discussions during «CommitandProve ZeroKnowledge Proof Systems» from Matteo Campanelli and «ZeroKnowledge Proofs for Constructing Protocols» from Jan Camenish, I’d like to open a thread to see what’s the general feeling for standardizing sigma protocols.
Concretely, I’m thinking about the formalization of CamenischStadler and [BonehSchoup, Chap. 19].
I am aware that there are more involved sigma protocols that have better asymptotics in particular scenarios (e.g. for instance [GK14]); but it’d rather stay with these simpler ones for now.
Sigma protocols are simple, mature and pretty powerful; I think they deserve a place in this general standardization effort for proving in zk knowledge of a dlog, oneofmany dlogs, discrete log equality, that a triple is a DDH tuple, proving knowledge of multiple dlogs simultaneously, and more generally (simple) relations on committed values.
What’s your feeling on this? Perhaps we can use the hearts to test the general vibe?
As a first step, I’m listing the current usecases and implementations, in the hope that they will help better understand the context and scoping the proposal.
Usecases

Schnorr proofs:
 [RFC8235];

some VOPRFs, they use DLEQ:

anonymous credentials; (at least) AND+DLEQ;
 Signal, who’s been using Algebraic MACs for group chats;
 Coconut: Threshold Issuance Selective Disclosure Credentials with Applications to Distributed Ledgers;

Ring Signatures; OR(+AND):

openings on Pedersen commitments, or plaintexts of ElGamal encryptions; DH tuple:

your usecase here
Implementations
A lot of works were blatantly stolen from the alreadymade comparisons of Lueks, Kulynych, Fasquelle,Le BailCollet,Troncoso. So… yeah, thanks!