Paper 2022/1079

The inspection model for zero-knowledge proofs and efficient Zerocash with secp256k1 keys

Huachuang Sun, Discreet Labs
Haifeng Sun, Discreet Labs
Kevin Singh, Discreet Labs
Akhil Sai Peddireddy, Discreet Labs
Harshad Patil, Discreet Labs
Jianwei Liu, Discreet Labs
Weikeng Chen, Discreet Labs

Proving discrete log equality for groups of the same order is addressed by Chaum and Pedersen's seminal work. However, there has not been a lot of work in proving discrete log equality for groups of different orders. This paper presents an efficient solution, which leverages a technique we call delegated Schnorr. The discovery of this technique is guided by a design methodology that we call the inspection model, and we find it useful for protocol designs. We show two applications of this technique on the Findora blockchain: **Maxwell-Zerocash switching:** There are two privacy-preserving transfer protocols on the Findora blockchain, one follows the Maxwell construction and uses Pedersen commitments over Ristretto, one follows the Zerocash construction and uses Rescue over BLS12-381. We present an efficient protocol to convert assets between these two constructions while preserving the privacy. **Zerocash with secp256k1 keys:** Bitcoin, Ethereum, and many other chains do signatures on secp256k1. There is a strong need for ZK applications to not depend on special curves like Jubjub, but be compatible with secp256k1. Due to FFT unfriendliness of secp256k1, many proof systems (e.g., Groth16, Plonk, FRI) are infeasible. We present a solution using Bulletproofs over curve secq256k1 ("q") and delegated Schnorr which connects Bulletproofs to TurboPlonk over BLS12-381. We conclude the paper with (im)possibility results about Zerocash with only access to a deterministic ECDSA signing oracle, which is the case when working with MetaMask. This result shows the limitations of the techniques in this paper. This paper is under a bug bounty program through a grant from Findora Foundation.

Available format(s)
Publication info
zero-knowledge proofs zerocash secp256k1 Fiat-Shamir
Contact author(s)
crypto @ findora org
2022-09-21: last of 6 revisions
2022-08-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Huachuang Sun and Haifeng Sun and Kevin Singh and Akhil Sai Peddireddy and Harshad Patil and Jianwei Liu and Weikeng Chen},
      title = {The inspection model for zero-knowledge proofs and efficient Zerocash with secp256k1 keys},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1079},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.