PLUME is an emerging standard for anonymous nullifiers that is compatible with existing Ethereum keys and hardware wallets. This has numerous applications in anonymous voting, airdrops and other applications.
The design of PLUME ensures all operations that require a private key can be performed out-of-circuit in a secure element such as a hardware wallet. The client side operations have been implemented for different wallets[1].
This application is to implement the PLUME verification circuit in Noir for the secp256k1 curve that maintains compatibility with existing Ethereum keypairs and the existing PLUME client side library.
PLUME is parameterized by the choice of curve and hash function. This will be reflected in the implementation using traits and generics in Noir.
The primary operation in-circuit to prove/verify a PLUME nullifier is a hash-to-curve operation, with the remainder being relatively simple hashing and equality check. The core of this proposal is an efficient and secure implementation of hash-to-curve in Noir.
The draft IEFT standard[2] specifies the details of the hash-to-curve ciphersuite. This can be split into two main operations of hashing to a finite field (hash_to_field
) and mapping to a curve (map_to_curve
).
Hashing to field applies a regular hash function then expands the result into a number of elements in the chosen field (which can be implemented as generic over the Noir Hasher
trait).
Mapping to curve implementation differs depending on the type of curve. The specific secp256k1 map_to_curve
implementation uses a simplified SWU method [2:1] over a different curve that is isogenous to the secp256k1 curve followed by an isogeny map. As shown in the circom implementation the isogeny map can be implemented in terms of simple field arithmatic operations.
The final part of hash_to_curve
involves one call to hash_to_field and two calls to map_to_curve
followed by an elliptic curve point addition.
In [3] it is estimated that the entire hash-to-curve operation requires ~500k constraints when implemented for the groth16 proving system and we can expect comparable complexity for a Noir implementation.
The proposed implementation in Noir will build upon the BigField implementation in the standard library which supports the secp256k1 base field.
Given a message , curve generator , ECDSA keypair , secure random value , a hash-to-curve implementation , and cryptographic hash function , the PLUME circuit can be defined as follows:
Given private inputs:
and public inputs:
the circuit must check the constraint
The primary operations required in-circuit are a hash-to-curve operation and a regular cryptographic hashing of curve points. No elliptic curve operations are required as part of the PLUME nullifier check outside of hash-to-curve.
There is an existing Circom implementation of PLUME which makes use of the Circom implementation of hash-to-curve for secp256k1 implemented by Geometry Research.
Additionally the work done by Geometry Research on standardizing hash-to-curve for common curves including secp256k1 and the resulting IETF draft standard.
A prototype Noir implementation of hash-to-curve following the IETF standard exists however this appears unmaintained, uses an older version of Noir, and depends on obsolete libraries for curve and bigint operations.
Regardles this is a useful resources that can serve as a reference.
The IEFT draft standard provides complete test vectors for common instantiations of hash-to-curve and Noir tests can be programatically generated from these.
A full test suite will be written in Noir following the examples set out in the PLUME circom implementation tests.
hash_to_field
generic over hash algorithmmap_to_curve
variant specific to secp256k1
map_to_curve
implementationChainSafe R&D is a consulting team within ChainSafe with specialized skills in cryptography and systems design. Founded in 2020 we have successfully delivered projects for dozens of notable clients including:
We have experience developing production ready ZK implementations of cryptographic primitives. Notably a Halo2 implementation of BLS12-381 pairings which has been audited and is used in the Sygma cross-chain protocol.
ChainSafe is happy to accept fully retroactive payment only upon successful delivery of all above milestones.