What is Sigma and why is it replacing Zerocoin in Zcoin?

By March 20, 2019 No Comments
Zcoin Sigma Protocol

Sigma is Zcoin’s upcoming replacement to Zerocoin that is set to be released on testnet in Q1 2019. It makes significant improvements over Zerocoin in three areas:

  • Removal of trusted setup
  • Reduction of proof size from 25 kB to 1.5 kB
  • Improved Security

Trusted Setup

Since the beginning of Zcoin, we have always seen the “trusted setup” problem as a big drawback.

In a trusted setup, some secret (public) parameters are generated based on a “master private key”. These network parameters are needed to create the so called “zero-knowledge proofs”, which is the anonymizing technology that we use. The “master private key”, sometimes referred to as toxic waste, needs to be destroyed.  If this data is not destroyed, someone who has access to this key is able to generate an infinite amount of anonymous coins. In fact, one of the major criticisms of Zerocash and zkSNARKs (not to be confused with Zerocoin as used in Zcoin) as implemented in Zcash is its requirement to have a controversial trusted setup.

An easy way to visualize trusted setup is that you create a box with a lock on it and its corresponding key. Possession of the key will allow you to create unlimited treasure from the box and therefore the key has to be destroyed. Trusted setup is effectively trusting that the key was destroyed.

Zerocoin as implemented by Zcoin uses a trusted setup performed by a third party in an academic challenge called the RSA Factoring Challenge in 1991 where the incentive to insert a backdoor is low and there was a sizeable bounty on it to break it. Although this is a decent implementation with a low chance of it being compromised, we believe the whole purpose of blockchain is to build systems that do not require trust, and that same principle applies to our privacy system as well. In fact, Zcoin’s initial release in 2016 was delayed as our founder Poramin Insom spent many months trying to remove trusted setup through the use of RSA UFOs which proved to be unworkable and had to settle for the RSA Factoring Challenge parameters.

Sigma is based on the academic paper One-Out-Of-Many-Proofs: Or How to Leak a Secret and Spend a Coin (Jens Groth and Markulf Kohlweiss) which replaces RSA accumulators by utilizing Pedersen commitments and other techniques which cryptographic construction does not require trusted setup. The only system parameters required in the Sigma setup are ECC group specifications and the group generators.

Proof Sizes and Security

Proof sizes are significantly reduced from 25 kB in Zerocoin to 1.5 kB in Sigma which is almost a 17x reduction making it a lot cheaper to store on the blockchain and making it possible to fit much more private send transactions in a block. We also utilize the improved Sigma techniques in the paper Short Accountable Ring Signatures Based on DDH to reduce proof sizes further. This solves one of the biggest problems of Zerocoin without reducing its security.

Security via the usage of 256 bit ECC curves in Sigma is improved compared to 2048 bit RSA used in Zerocoin and is estimated to be equivalent to 3072 bit RSA.

Opens the way to Lelantus

Sigma is a precursor to our next gen privacy protocol Lelantus developed by our cryptographer Aram Jivanyan which further builds on Sigma and greatly expands its functionality and privacy features by removing the need for fixed denominations in minting and spending. Deploying Sigma gives us the necessary time to develop Lelantus properly while it undergoes academic peer review and further improvements. A separate post on Lelantus will be made at a later stage.