This allows for the construction of deterministic nullifiers. We intend to deploy it as Privately Linked Unique Message Entities (PLUME).
rust-k256: Rust, using the k256 libraryrust-arkworks: Rust, using arkworksjavascript: JavaScript, using MIRACL
First, clone this repository and navigate to the javascript/ directory.
Install dependencies:
npm iThen, navigate to the circuits/ directory and install the dependencies there:
npm iRun the tests:
npm run flatten-deps && \
npm run testBe prepared to wait around 20-40 minutes for the tests to complete.
- Incorporate the V2 proposed by poseidon to be a codepath both in the wallet WIP PR and in the circom (task still open)
- improve
rust-k256to use a similar interface asrust-arkworks- i.e. generate/accept arbitrary keypairs andrvalues, and not just hardcoded values - rewrite in halo2 (WIP by blakemscurr and vuvoth, dm to contribute via a grant!)
- reduce number of arguments to c via Wei Dai's + Poseidons suggestions
- Edit: Poseidon will be too slow in Ledger and is a newer hash function -- given that we have reasonably efficient sha256 hashing with zkevm sha256, we do not intend to switch the hash function
Thesis [most up to date]: https://aayushg.com/thesis.pdf
Paper: https://eprint.iacr.org/2022/1255
https://blog.aayushg.com/posts/nullifier
https://ivy-docs.notion.site/PLUME-ERC-Draft-5558bbd43b674bcb881f5c535ced5893
https://www.youtube.com/watch?v=6ajBnMdJGoY
See this PR.
6.5 million constraints. Mostly dominated by EC operations, but the hashes are very expensive too.
sha256 ~1.5M. hash_to_curve ~0.5M. a/b^c ~1.5 each (this is the sub circuit for the first 2 verification equations). the remaining 1.5M is probably dominated by calculating g^s and h^s.
https://github.com/geometryresearch/secp256k1_hash_to_curve/