Plume Nullifier Circuit

# Plume Nullifier Circuit * **Estimated Duration:** 2 weeks * **FTE:** 1 * **Costs:** $5000 * **Estimated delivery date**: 9-Feb-2023 [This blog](ahfjL$#ee-B812lvhg5+5P6&d) and [this talk](https://www.youtube.com/watch?v=6ajBnMdJGoY) describe the purpose of the nullifier, and [the paper](https://eprint.iacr.org/2022/1255) gives full security proofs. The official repo for this nullifier scheme is github.com/zk-nullifier-sig/zk-nullifier-sig. ## Definitions Full explanations can be found in the content linked above, but this is a quick reference for understanding the deliverables. | Variable | Definition | | ------ | ------ | | $g$ | Generator of the secp256k1 elliptic curve | | $r$ | Random blinding value to hide the user's secret key and brute forceable nullifier (the hash of the public key and message). | | $s$ | The result of blinding the secret key | | $pk$ | The user's public key | $c$ | A [fiat-shamir](https://en.wikipedia.org/wiki/Fiat%E2%80%93Shamir_heuristic) style commitment to $s$ and $pk$. | $\mathrm{hash\_to\_curve}$ | A hash that takes a scalar to a uniformly random point on the secp256k1 elliptic curve. | $h$ | A unique but brute forceable nullifier, not yet hidden by the secret key. ## Deliverables | Number | Deliverable | Specification | | ------------- | ------------- | ------------- | | 1 | Organise | Confirm work with PL/Aayush | | 2 | Calculate $g^r$ | `ECDSAPrivToPub` on $s$. `Secp256k1ScalarMult` on $pk$ and $c$. Invert with BigSub $p-pk^c$. Add those with `Secp256k1AddUnequal` to get $g^r$. | 3 | Calculate $\mathrm{hash\_to\_curve}[m, pk]^r$ | $h = \mathrm{hash\_to\_curve}[m, g^sk]$. `Secp256k1ScalarMult` on $h$ and $s$. `Secp256k1ScalarMult` on nul and $c$. Invert that by negating the $y$ coordinate $(p-y)$. Add those with `Secp256k1AddUnequal` to get $h^r$. | 4 | Outer hash | Array concatentation on all 6 of these signals. Call sha256 on concatenation. | 5 | Reviewed | Merged into [upstream repo](https://github.com/geometryresearch/secp256k1_hash_to_curve/) or similar.