This repository provides libraries for the construction of deterministic nullifiers on Ethereum keys, ERC 7524. We call them Privately Linked Unique Message Entities (or PLUMEs). PLUMEs enable zk voting, anonymous proof of solvency, and anonymous message board moderation to be possible with Ethereum keys directly, and so we think it is a critical primitive to push forward blockchain adoption. To understand how this primitive works and the reason for design decisions, we recommend checking out our blog post.
We hope that wallets integrate the javascript, rust, or C repositories for both software and hardware signature generation, and dapps integrate the zk proof in the circuits/ directory.
To install our npm package for JS/TS, do
yarn add plume-sig
To install our Cargo package for Rust, do
cargo add plume_rustcrypto
Docs and usage guides are linked to from the packages.
If you would like to get a grant to create PLUME applications or improve the library, we have grants available from Ethereum Foundation PSE and Gitcoin Grants, and would give grants for any PRs to the repository! There are projects ideas both below in the README, as well as bountied every issue in Github has a $50 bounty on it. Feel free to pick one up, and dm us on Twitter/Telegram (@yush_g) for guidance and help, or join the discussion in the public channel in the PSE Discord for progress updates and community questions! This work was generously funded and supported by 0xPARC, Gitcoin donors, and EF PSE, and exists only due to the valuable work by contributors to this Github such as yush_g, Oren Yomtov, Richard Liu, Blake M Scurr, Piotr Roslaniec, Vu Voth, Weijie Koh, and Vivek Bhupatiraju who directly contributed to the code. Thanks to Poseidon Labs for a V2 proposal and Weiking Chen for his filed issues, and our auditors (0xbok), as well as all of the folks acknowledged in the research paper and blog post.
If you'd like to contribute, we offer $50 bounties in Eth/DAI for resolving any of the bugs in our issues! Each of them is quite small. That includes #28, #24, #14, and #13.
rust-k256
: Rust, using the k256 libraryrust-arkworks
: Rust, using arkworksjavascript
: JavaScript, using MIRACLWe have been audited by PSE Security for these three implementations V1 and V2 implementations, as well as for V1 circuits in circom. We expect the halo2 circuits to be runnable on mobile (once we have audited that code circa ~April and put up a recursive proving infrastructure setup).
First, clone this repository and navigate to the javascript/
directory.
Install dependencies:
pnpm i
If you encounter an error No prebuilt binaries found
, try switching to node v18.17.0
(using n
, for example) to work around our dependency's build issue.
Then, navigate to the circuits/
directory and install the dependencies there:
pnpm i
Run the tests:
pnpm run flatten-deps && \
pnpm run test
Be prepared to wait around 20-40 minutes for the tests to complete.
We invite contributors to collaborate on this effort. There are great tasks for beginners (the issues), a halo2 intermediate level (circuits), cryptography intermediate level (the v1 improvement to make it v2 compatible below), and on the application layer (building apps that use PLUME).
Thesis [most up to date version]: https://aayushg.com/thesis.pdf
Paper [slightly out of date]: https://eprint.iacr.org/2022/1255
This describes the construction as well as explains our choices for the various hash/hash-to-curve functions.
ERC 7524 Taho Wallet Integration
https://www.youtube.com/watch?v=6ajBnMdJGoY
For the V1,
See this PR.
6.5 million constraints. Mostly dominated by EC operations, but the hashes are very expensive too.
sha256 ~1.5M. hash_to_curve ~0.5M. a/b^c ~1.5 each (this is the sub circuit for the first 2 verification equations). the remaining 1.5M is probably dominated by calculating g^s and h^s.
For the V2, the sha256 is 0 cost in the circuit, but is added to the verification cost. This takes in-circuit constraints down to 5M and adds the sha to the verification.
https://github.com/geometryresearch/secp256k1_hash_to_curve/ https://geometry.dev/notebook/Hashing-to-the-secp256k1-Elliptic-Curve
https://hackmd.io/uZQbMHrVSbOHvoI_HrJJlw
https://hackmd.io/VsojkopuSMuEA4vkYKSB8g?edit
notion.so/mantanetwork/PLUME-Discussion-6f4b7e7cf63e4e33976f6e697bf349ff
This includes some discussion on justifications for the V2 signature calculation, as well as concrete ways to use PLUME proofs + Proof of ECDSA to do nullifiers and voting respectively.