Lib.rs

Cryptography
#nizk #zero-knowledge #sigma-protocols

no-std sigma-proofs

A toolkit for auto-generated implementations of Σ-protocols

by Michele Orrù, nougzarm

1 unstable release

0.1.0-sigma Sep 12, 2025

#833 in Cryptography


Used in 3 crates (via sigma-compiler)

BSD-2-Clause

235KB
4.5K SLoC

sigma-rs

A Rust library for building and composing Σ-protocols (Sigma protocols) for zero-knowledge proofs.

What is sigma-rs?

This library provides a flexible framework for creating zero-knowledge proofs for any statement expressible as a linear relation over group elements. Using the Fiat-Shamir transformation, these interactive protocols become non-interactive proofs suitable for real-world applications.

Quick Example

use curve25519_dalek::ristretto::RistrettoPoint;
use curve25519_dalek::scalar::Scalar;
use group::Group;
let mut instance = sigma_proofs::LinearRelation::new();
let mut rng = rand::thread_rng();

// Define the statement:
// Prove knowledge of (x, r) such that C = x·G + r·H (Pedersen commitment)
let [var_x, var_r] = instance.allocate_scalars();
let [var_G, var_H] = instance.allocate_elements();
instance.allocate_eq(var_G * var_x + var_H * var_r);
instance.set_elements([(var_G, RistrettoPoint::generator()), (var_H, RistrettoPoint::random(&mut rng))]);

// Assign the image of the linear map.
let witness = vec![Scalar::random(&mut rng), Scalar::random(&mut rng)];
instance.compute_image(&witness);

// Create a non-interactive argument for the instance.
let nizk = instance.into_nizk(b"your session identifier").unwrap();
let narg_string: Vec<u8> = nizk.prove_batchable(&witness, &mut rng).unwrap();
// Print the narg string.
println!("{}", hex::encode(narg_string));

Composition Example

Prove complex statements with AND/OR logic:

// Prove: (I know x for A = x·G) OR (I know y,z for B = y·G AND C = z·H)
let or_protocol = Protocol::Or(vec![
    Protocol::from(dlog_relation),           // First option
    Protocol::And(vec![                      // Second option
        Protocol::from(relation_B),
        Protocol::from(relation_C),
    ])
]);

// If we know the second option, create witness for index 1
let witness = ProtocolWitness::Or(1, vec![
    ProtocolWitness::And(vec![
        ProtocolWitness::Simple(vec![y]),
        ProtocolWitness::Simple(vec![z]),
    ])
]);

Examples

See the examples/ directory:

  • schnorr.rs - Discrete logarithm proof
  • simple_composition.rs - OR-proof composition

Status

⚠️ NOT YET READY FOR PRODUCTION USE

This library is under active development. While the API is stabilizing, there are no guarantees on proof compatibility between versions.

Background

This crate continues the work from the original zkp toolkit in dalek-cryptography, modernized with updated dependencies and improved Fiat-Shamir transforms. It implements the general framework for Sigma protocols as described in Maurer (2009).

Funding

This project is funded through NGI0 Entrust, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.

NLnet foundation logo NGI Zero Logo

Dependencies

~6MB
~106K SLoC