This repository provides libraries for the construction of deterministic nullifiers on Ethereum keys, ERC 7524. We call them Privately Linked Unique Message Entities (or PLUMEs). PLUMEs enable zk voting, anonymous proof of solvency, and anonymous message board moderation to be possible with Ethereum keys directly, and so we think it is a critical primitive to push forwards blockchain adoption. To understand how this primitive works and the reason for design decisions, we recommend checking out our blog post.
We hope that wallets integrate the javascript, rust, or C repositories for both software and hardware signature generation, and dapps integrate the zk proof in the circuits/ directory.
If you would like to get a grant to create PLUME applications or improve the library, we have grants available from Ethereum Foundation PSE and Gitcoin Grants, and would give grants for any PRs to the repository! There are projects ideas both below in the README, as well as bountied every issue in Github has a $50 bounty on it. Feel free to pick one up, and dm us on Twitter/Telegram (@yush_g) for guidance and help, or join the discussion in the public channel in the PSE Discord for progress updates and community questions! This work was generously funded and supported by 0xPARC, Gitcoin donors, and EF PSE, and exists only due to the valuable work by contributors to this Github such as yush_g, Oren Yomtov, Richard Liu, Blake M Scurr, Piotr Roslaniec, Vu Voth, Weijie Koh, and Vivek Bhupatiraju who directly contributed to the code. Thanks to Poseidon Labs for a V2 proposal and Weiking Chen for his filed issues, and our auditors (0xbok), as well as all of the folks acknowledged in the research paper and blog post.
If you'd like to contribute, we offer $50 bounties in Eth/DAI for resolving any of the bugs in our issues! Each of them is quite small. That includes #28, #24, #14,and #13.
rust-k256: Rust, using the k256 libraryrust-arkworks: Rust, using arkworksjavascript: JavaScript, using MIRACL
- Mina: Uses it for nullifiers here and here. We are working with them to be fully ERC compliant!
- Taho: We have an open PR that we are waiting on them to merge!
- Metamask: We have an open PR set (rpc, api, core) that we are waiting on them to merge!
- Aztec: WIP, grant out to implement in Noir.
We have been audited by 0xbok for these three implementations V1 and V2 implementations, as well as for V1 circuits in circom. We expect the halo2 circuits to be runnable on mobile (once we have aduited that code and put up a recursive proving infrastructure setup).
First, clone this repository and navigate to the javascript/ directory.
Install dependencies:
npm iIf you encounter an error No prebuilt binaries found, try switching to node v18.17.0 (using n, for example) to work around our dependency's build issue.
Then, navigate to the circuits/ directory and install the dependencies there:
npm iRun the tests:
npm run flatten-deps && \
npm run testBe prepared to wait around 20-40 minutes for the tests to complete.
We invite contributors to collaborate on this effort. There are great tasks for beginners (the issues), a halo2 intermediate level (circuits), cryptography intermediate level (the v1 improvement to make it v2 compatible below), and on the application layer (building apps that use PLUME).
- Rewrite in halo2 (WIP by blakemscurr and vuvoth)
- [$500 Bounty] Edit Timofey's hash to curve halo2 circuit from BLS to secp256k1 in halo2 via editing CurveExt (and maybe adding some traits like Selectable), and add it to the existing WIP implementation.
- Reduce number of arguments to c in V1 via Wei Dai's + Poseidons suggestions (potentially just g^sk, h[m, pk], g^r is fine) that are currently used in the V2, and write a proof in the Algebraic Group Model for the change.
- [$500 Bounty] Fix stealthdrop MVP, the first anonymous airdrop to any Ethereum keys via PLUMEs -- repo and slides.
- [$500 Bounty] Implement ZK voting via PLUMEs, as described in Poseidons proposal.
- [Large bounty] Implement the ZK circuits in Noir to integrate them into Aztec.
Thesis [most up to date version]: https://aayushg.com/thesis.pdf
Paper [slightly out of date]: https://eprint.iacr.org/2022/1255
blog.aayushg.com/posts/nullifier
This describes the construction as well as explains our choices for the various hash/hash-to-curve functions.
ERC 7524 Taho Wallet Integration
https://www.youtube.com/watch?v=6ajBnMdJGoY
For the V1,
See this PR.
6.5 million constraints. Mostly dominated by EC operations, but the hashes are very expensive too.
sha256 ~1.5M. hash_to_curve ~0.5M. a/b^c ~1.5 each (this is the sub circuit for the first 2 verification equations). the remaining 1.5M is probably dominated by calculating g^s and h^s.
For the V2, the sha256 is 0 cost in the circuit, but is added to the verification cost. This takes in-circuit constraints down to 5M and adds the sha to the verification.
https://github.com/geometryresearch/secp256k1_hash_to_curve/ https://geometry.xyz/notebook/Hashing-to-the-secp256k1-Elliptic-Curve
We are giving a $500 grant for an implementation of this in halo2.
https://hackmd.io/uZQbMHrVSbOHvoI_HrJJlw
https://hackmd.io/VsojkopuSMuEA4vkYKSB8g?edit
notion.so/mantanetwork/PLUME-Discussion-6f4b7e7cf63e4e33976f6e697bf349ff
This includes some discussion on justifications for the V2 signature calculation, as well as concrete ways to use PLUME proofs + Proof of ECDSA to do nullifiers and voting respectively.