sigma

package

v0.1.0 Latest Latest Go to latest Published: Feb 16, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/bronlabs/bron-crypto

Links

Open Source Insights

README ¶

Sigma protocol

This package defines a generic interface for sigma protocols and interactive compiler for running it in round-based setup where:

Round 1: $P$ computes commitment $a$ and sends it to $V$, stores the state $s$ locally,
Round 2: $V$ randomly create a challenge $e$ and sends it to $P$,
Round 3: $P$ computes response $z$ and sends to $V$,
$V$ performs verification.

Additionally, the RunHonestVerifierZkSimulator method is defined. In the context of Honest-Verifier Zero-Knowledge Proofs of Knowledge, the simulator is an algorithm that is able to fake a commitment and a convincing proof without knowledge of the witness. In order to fake it, the simulator does things in reverse order (a.k.a. "rewinds"): first create a proof/response, and then compute the commitment intelligently so that the full interaction would be valid if played in the right order.

The method is needed because the OR composition of proofs requires a valid simulator for the proof generation, that is, in order to generate a proof for $x_0$ OR $x_1$ we must know how to convincingly simulate the one we don't know and thus can't prove knowledge of!

See CDS94 for details.

WARNING

treat compositions and compilers with care as what’s programmatically allowed isn’t going to be necessarily secure or preserve the security of the larger protocol.

Documentation ¶

Overview ¶

Package sigma defines a generic interface for sigma protocols and interactive compiler for running it in round-based setup where:.

See README.md for details.

Index ¶

Variables
type Anchor
type ChallengeBytes
type Commitment
type MaurerCommitment
type MaurerProtocol
type MaurerResponse
type MaurerState
type MaurerStatement
type MaurerWitness
type Name
type OneWayHomomorphism
type Protocol
type Prover
- func NewProver[X Statement, W Witness, A Commitment, S State, Z Response](sessionID network.SID, transcript transcripts.Transcript, ...) (*Prover[X, W, A, S, Z], error)
- func (p *Prover[X, W, A, S, Z]) Round1() (A, error)
- func (p *Prover[X, W, A, S, Z]) Round3(challengeBytes []byte) (Z, error)
type Response
type State
type Statement
type Verifier
- func NewVerifier[X Statement, W Witness, A Commitment, S State, Z Response](sessionID network.SID, transcript transcripts.Transcript, ...) (*Verifier[X, W, A, S, Z], error)
- func (v *Verifier[X, W, A, S, Z]) Round2(commitment A) ([]byte, error)
- func (v *Verifier[X, W, A, S, Z]) Verify(response Z) error
type Witness

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrInvalidArgument indicates missing or inconsistent inputs.
	ErrInvalidArgument = errs.New("invalid argument")
	// ErrRound is returned when rounds are invoked out of order.
	ErrRound = errs.New("invalid round")
)

Functions ¶

This section is empty.

Types ¶

type Anchor ¶

type Anchor[I algebra.GroupElement[I], P algebra.GroupElement[P]] interface {
	L() *num.Nat
	// PreImage returns w such that phi(w) == x * L()
	PreImage(x I) (w P)
}

Anchor defines the public anchor for Maurer-style protocols. I.e., it defines a scalar L for which it is easy to compute phi^{-1}(x * L).

type ChallengeBytes ¶

type ChallengeBytes []byte

ChallengeBytes is the binary encoding of the challenge space. Sigma protocols are defined on an arbitrary challenge space; we standardise on a byte encoding to ease OR-composition and transcript handling.

type Commitment ¶

type Commitment base.BytesLike

Commitment is the commitment type.

type MaurerCommitment ¶

type MaurerCommitment[I algebra.GroupElement[I]] interface {
	Commitment
	base.Transparent[I]
}

MaurerCommitment is a commitment with transparent group encoding.

type MaurerProtocol ¶

type MaurerProtocol[
	I algebra.GroupElement[I],
	P algebra.GroupElement[P],
	X MaurerStatement[I],
	W MaurerWitness[P],
	A MaurerStatement[I],
	S MaurerState[P],
	Z MaurerResponse[P],
] interface {
	Protocol[X, W, A, S, Z]

	PreImageGroup() algebra.FiniteGroup[P]
	ImageGroup() algebra.FiniteGroup[I]
	Phi() OneWayHomomorphism[I, P]
	Anchor() Anchor[I, P]
}

MaurerProtocol defines Maurer-style protocol.

type MaurerResponse ¶

type MaurerResponse[P algebra.GroupElement[P]] interface {
	Response
	base.Transparent[P]
}

MaurerResponse is a response with transparent group encoding.

type MaurerState ¶

type MaurerState[P algebra.GroupElement[P]] interface {
	State
	base.Transparent[P]
}

MaurerState is a prover state with transparent group encoding.

type MaurerStatement ¶

type MaurerStatement[I algebra.GroupElement[I]] interface {
	Statement
	base.Transparent[I]
}

MaurerStatement is a statement with transparent group encoding.

type MaurerWitness ¶

type MaurerWitness[P algebra.GroupElement[P]] interface {
	Witness
	base.Transparent[P]
}

MaurerWitness is a witness with transparent group encoding.

type Name ¶

type Name string

Name identifies a sigma protocol.

type OneWayHomomorphism ¶

type OneWayHomomorphism[I algebra.GroupElement[I], P algebra.GroupElement[P]] algebra.Homomorphism[I, P]

OneWayHomomorphism defines the one way group homomorphism used in Maurer-style proofs.

type Protocol ¶

type Protocol[X Statement, W Witness, A Commitment, S State, Z Response] interface {
	Name() Name
	ComputeProverCommitment(statement X, witness W) (A, S, error)
	ComputeProverResponse(statement X, witness W, commitment A, state S, challenge ChallengeBytes) (Z, error)
	Verify(statement X, commitment A, challenge ChallengeBytes, response Z) error

	// RunSimulator produces a transcript that's statistically identical to (or indistinguishable from)
	// the output of the real Prover.
	// In the context of Honest-Verifier Zero-Knowledge Proofs of Knowledge,
	// the simulator is an algorithm that is able to fake a commitment and a convincing proof
	// without the knowledge of the witness.
	// To fake it, the simulator "rewinds" (aka does things in reverse order):
	// first create a response, and then compute the commitment intelligently so that the full transcript (a, e, z)
	// would be valid if played in the right order.
	RunSimulator(statement X, challenge ChallengeBytes) (A, Z, error)

	// SpecialSoundness returns n for which protocol has n-special soundness.
	// In other words, it returns a minimal number of how many distinct, valid
	// sigma protocol transcripts T_i = (x, e_i, z_i) for i = 1, 2, ..., n
	// are required for the existence of polynomial-time extractor of witness.
	SpecialSoundness() uint

	// SoundnessError returns the statistical soundness error `s` of the protocol,
	// i.e., the probability that a cheating prover can succeed is ≤ 2^(-s).
	// For interactive proofs it must be at least base.StatisticalSecurity,
	// for non-interactive proofs it must be at least base.ComputationalSecurity.
	SoundnessError() uint
	GetChallengeBytesLength() int

	ValidateStatement(statement X, witness W) error
}

Protocol defines the sigma protocol interface.

type Prover ¶

type Prover[X Statement, W Witness, A Commitment, S State, Z Response] struct {
	// contains filtered or unexported fields
}

Prover implements the interactive sigma prover.

func NewProver ¶

func NewProver[X Statement, W Witness, A Commitment, S State, Z Response](sessionID network.SID, transcript transcripts.Transcript, sigmaProtocol Protocol[X, W, A, S, Z], statement X, witness W) (*Prover[X, W, A, S, Z], error)

NewProver constructs a sigma protocol prover.

func (*Prover[X, W, A, S, Z]) Round1 ¶

func (p *Prover[X, W, A, S, Z]) Round1() (A, error)

Round1 runs the prover's first round.

func (*Prover[X, W, A, S, Z]) Round3 ¶

func (p *Prover[X, W, A, S, Z]) Round3(challengeBytes []byte) (Z, error)

Round3 runs the prover's third round.

type Response ¶

type Response base.BytesLike

Response is the response type.

type State ¶

type State any

State is the prover's internal state type.

type Statement ¶

type Statement base.BytesLike

Statement is the public statement type.

type Verifier ¶

type Verifier[X Statement, W Witness, A Commitment, S State, Z Response] struct {
	// contains filtered or unexported fields
}

Verifier implements the interactive sigma verifier.

func NewVerifier ¶

func NewVerifier[X Statement, W Witness, A Commitment, S State, Z Response](sessionID network.SID, transcript transcripts.Transcript, sigmaProtocol Protocol[X, W, A, S, Z], statement X, prng io.Reader) (*Verifier[X, W, A, S, Z], error)

NewVerifier constructs a sigma protocol verifier.

func (*Verifier[X, W, A, S, Z]) Round2 ¶

func (v *Verifier[X, W, A, S, Z]) Round2(commitment A) ([]byte, error)

Round2 runs the verifier's second round and samples a challenge.

func (*Verifier[X, W, A, S, Z]) Verify ¶

func (v *Verifier[X, W, A, S, Z]) Verify(response Z) error

Verify checks the prover's response.

type Witness ¶

type Witness base.BytesLike

Witness is the witness type.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
compiler Package compiler provides compilers that transform interactive sigma protocols into non-interactive zero-knowledge proofs of knowledge (NIZKPoK).	Package compiler provides compilers that transform interactive sigma protocols into non-interactive zero-knowledge proofs of knowledge (NIZKPoK).
fiatshamir Package fiatshamir implements the Fiat-Shamir transform for compiling interactive sigma protocols into non-interactive zero-knowledge proofs.	Package fiatshamir implements the Fiat-Shamir transform for compiling interactive sigma protocols into non-interactive zero-knowledge proofs.
fischlin Package fischlin implements the Fischlin transform for compiling interactive sigma protocols into non-interactive zero-knowledge proofs with UC security.	Package fischlin implements the Fischlin transform for compiling interactive sigma protocols into non-interactive zero-knowledge proofs with UC security.
internal Package internal defines the core interfaces for non-interactive zero-knowledge proof compilers.	Package internal defines the core interfaces for non-interactive zero-knowledge proof compilers.
randfischlin Package randfischlin implements a randomised variant of Fischlin's transform for compiling interactive sigma protocols into non-interactive zero-knowledge proofs.	Package randfischlin implements a randomised variant of Fischlin's transform for compiling interactive sigma protocols into non-interactive zero-knowledge proofs.
zk Package zk implements a zero-knowledge compiler that transforms honest-verifier zero-knowledge (HVZK) sigma protocols into fully zero-knowledge interactive protocols using commitment schemes.	Package zk implements a zero-knowledge compiler that transforms honest-verifier zero-knowledge (HVZK) sigma protocols into fully zero-knowledge interactive protocols using commitment schemes.
compose
sigand Package sigand implements AND composition of sigma protocols.	Package sigand implements AND composition of sigma protocols.
sigor Package sigor implements OR composition of sigma protocols.	Package sigor implements OR composition of sigma protocols.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL