Ergo’s smart contracts and DeFi functionality are built on Sigma protocols – a powerful, flexible class of zero-knowledge proofs. Find out more about why they’re so important, and how they put Ergo head and shoulders above the competition.
Quick privacy overview in response to the top comment in the previous stickied thread.
I’ve linked to some relevant Discord discussions so make sure to join first.
Good practice to start with an excerpt from the Ergo Manifesto
Privacy must remain an option to protect the individual. It does not have to be forced; let people make their own choices. Privacy is the ability to create barriers and erect boundaries to create a space and for the individual. It is up to each what borders and boundaries they choose to make.
Civilization exists under a continuous tension between what is best for society and what is best for the individual. The only real entities in a community are individuals. All collectives, associations, and governments stem from individual participation and interaction.
Let’s say someone picks up a phone in a bar. You can prove it’s yours by hiding the screen, entering the unlock code and showing the unlocked screen to the person who found it. This is a simple example of a zero-knowledge proof: you have proven you own the phone without giving away any sensitive information.
In cryptography, most practical problems are associated with secrets. The most popular application lies in digital signatures, used by millions of people around the world every day. Essentially, these involve saying: ‘This message proves I know the private key associated with this public key – but I’m not revealing the private key itself’.
ErgoScript is the language used to specify the conditions under which currency can be spent. The language supports a type of non-interactive zero-knowledge proofs called Σ-protocols and is flexible enough to allow for ring-signatures, multisignatures, multiple currencies, atomic swaps, self-replicating scripts, and long-term computation.
The overwhelming majority of successful public blockchain use‐cases are related to financial applications. Ergo extends Bitcoin’s way of writing contracts by attaching a guard script (together with additional custom data) to every coin. For example, in addition to regular protection by some m‐of‐n signature, Ergo allows specifying the possible recipients of these coins, which may another contract with similar complex conditions. This “chaining” approach allows the implementation of secure and efficient contracts of arbitrary complexity. Keeping all this in mind, we expect ErgoScript and Ergo’s design to be uniquely useful as Contractual Money.
Let’s say you want to create a ‘ring spending contract’, where either of us can make a transaction from the same address, but we don’t want anyone else to know which one of us is spending the funds. That’s not possible with Bitcoin. While Ethereum can, it would be expensive and complicated – especially with a ring size of 10 or 20 members, required for robust privacy.
With Ergo, this kind of application can be created quickly, thanks to the integration of Sigma protocols in the core. This enables self-sovereign application-level privacy: trustless scripts that can be used to access mixers or other functionality without any third parties required.
val ringScript = s"""
{
atLeast(
3,
Coll(
PK("9f8ZQt1Sue6W5ACdMSPRzsHj3jjiZkbYy3CEtB4BisxEyk4RsNk"),
PK("9hFWPyhCJcw4KQyCGu4yAGfC1ieRAKyFg24FKjLJK2uDgA873uq"),
PK("9fdVP2jca1e5nCTT6q9ijZLssGj6v4juY8gEAxUhp7YTuSsLspS"),
PK("9gAKeRu1W4Dh6adWXnnYmfqjCTnxnSMtym2LPPMPErCkusCd6F3"),
PK("9gmNsqrqdSppLUBqg2UzREmmivgqh1r3jmNcLAc53hk3YCvAGWE")
)
)
}
This an example 3-out-of-5 threshold signature which can be compiled to a P2S address sending ergs to resulting address (protected by the threshold sig)
Here is a good intro to making a signature
When combined with a blockchain, these composable proofs enable some very powerful use cases. The logic for proofs can include conditions based on blockchain state. For example, ‘If the deadline block height has been reached, Alice can provide knowledge of a secret key for a refund. OR a ring signature from Alice and Bob is required to spend coins.’ Or ‘If this account holds a minimum of 100 ERG, Alice OR Bob can remove funds above that amount.’
It’s relatively easy to swap coins or custom tokens trustlessly across any Bitcoin-like blockchains. But beyond that, Ergo allows partial swaps. Just like on a regular exchange, orders can be partially filled, if that’s what the trader wants. This means it’s possible to build a fully-fledged decentralised exchange (DEX) that enables cross-chain trading: a totally trustless version of existing crypto exchanges. There’s no need for any gateways, token wrapping or other potential bottlenecks or points of failure.
ErgoMixer is a state of the art (and worlds first) non-interactive and non-custodial token mixer and the first real implementation of Sigma protocols on Ergo. Mac/Windows applications are available!. Check out this page on ergonaut.space for more information including research papers / presentations; and these discussions in Discords.
A Rich smart-contract language and simplicity are the priority in Ergo, and smart-contracts make privacy a lot harder. There are plenty of reasons to want optional privacy - transparent ledgers are a feature for many use-cases. e.g. charities that want everyone to have full access to the flow of funds. The ability to operate with privacy or with transparency is a feature.
There’s also strong arguments for optional privacy for adoption and regulation. ErgoMixer is non-interactive so works with the blockchain alone, no off-chain coordination with others (and trusted coordinator) needed.
In future, privacy by default could be enabled for every transaction in Ergo. Maybe the community will do it someday or maybe integrating mix-nets and on other novel ideas on the application layer will be sufficient.
A Schnorr signature is a simple Sigma protocol signature, then. Schnorr signatures have been proposed as an alternative to Bitcoin’s current signatures. (It is one of the most efficient signature schemes, which is why it would be beneficial for Bitcoin.)
However, there are dozens of other Sigma protocols. One of the great things about them is that they are composable, using simple AND and OR logic. So you can ask for a signature with the following statement: ‘Prove to me knowledge of either this secret OR that secret’ (this is a one-of-two ring signature). Or you can ask, ‘Prove to me knowledge of any two of these three secrets’ (a two-of-three ring signature). Those are just two simple examples; there are many more, and they can be far more complex and sophisticated.
Ergo: Sigma + blockchain
When combined with a blockchain, these composable proofs enable some very powerful use cases. The logic for proofs can include conditions based on blockchain state. For example, ‘If the deadline block height has been reached, Alice can provide knowledge of a secret key for a refund. OR a ring signature from Alice and Bob is required to spend coins.’ Or ‘If this account holds a minimum of 100 ERG, Alice OR Bob can remove funds above that amount.’
Thus some very interesting and flexible DeFi applications can be built on Ergo, using secure, straightforward and efficient Sigma protocols.
Sigma protocols are the foundation of Ergo’s smart contracts. They allow for a class of efficient zero-knowledge protocols that allow implementation of tasks that would otherwise be either impossible, or else risky and expensive. For example, Sigma protocols enable ring and threshold signatures out of the box. This functionality has already been used to build a trustless, non-interactive fungibility enhancer for coins and tokens.
In comparison with zk-SNARKs, they have some very appealing properties similar to zk-STARKs. They:
