Nimue is a hash-agnostic library that believes in random oracles. It facilitates the writing of multi-round public coin protocols. It provides a generic API for generating the verifier's random coins and the prover randomness. The project has the following crates:

• nimue: the core library, with bindings for group and arkworks. This crate provides the basic traits for hashes bases on compression functions and sponge-based hash functions, both via Rust's generic Digest API and a (more fine-grained and efficient) permutation function API
• nimue-pow: an extension for challenges computed via grinding / proof-of-work;
• nimue-anemoi: a WORK IN PROGRESS implementation of the Anemoi hash function (in arkworks for now);
• nimue-poseidon: a WORK IN PROGRESS implementation of the Poseidon hash function (in arkworks for now).

Automatic transcript generation. nimue comes with batteries included for serializing/deserializing algebraic elements such as field/group elements in arkworks and zkcrypto. Users can build the top of it via extension traits.

Support custom hash function. To build a secure Fiat-Shamir transform, the minimal requirement is a permutation function over some set that supports byte-encoding. It can be a u8 representing $\mathbb{F}_{2^8}$ or any large-characteristic prime field $\mathbb{F}_p$.

Retro-compatibility. We have a legacy interface for any hash function that satisfies the digest::Digest trait, such as sha2 and blake2.

• Preprocessing. In recursive SNARKs, minimizing the number of hash invocations while maintaining security is crucial. We offer tools for preprocessing the Transcript (i.e., the state of the Fiat-Shamir transform) to achieve this goal.

• Private randomness generation. It is vital to avoid providing two different challenges for the same prover message. We do our best to avoid it by tying down the prover randomness to the protocol transcript, without making the proof deterministic.

Check out the documentation and some examples/.