Awesome
PLUME: Verifiably Deterministic Signatures on ECDSA
This repository provides libraries for the construction of deterministic nullifiers on Ethereum keys, ERC 7524. We call them Privately Linked Unique Message Entities (or PLUMEs). PLUMEs enable zk voting, anonymous proof of solvency, and anonymous message board moderation to be possible with Ethereum keys directly, and so we think it is a critical primitive to push forward blockchain adoption. To understand how this primitive works and the reason for design decisions, we recommend checking out our blog post.
We hope that wallets integrate the javascript, rust, or C repositories for both software and hardware signature generation, and dapps integrate the zk proof in the circuits/ directory.
Installation
To install our npm package for JS/TS, do
yarn add plume-sig
To install our Cargo package for Rust, do
cargo add plume_rustcrypto
Docs and usage guides are linked to from the packages.
Contributions and Grants
If you would like to get a grant to create PLUME applications or improve the library, we have grants available from Ethereum Foundation PSE and Gitcoin Grants, and would give grants for any PRs to the repository! There are projects ideas both below in the README, as well as bountied every issue in Github has a $50 bounty on it. Feel free to pick one up, and dm us on Twitter/Telegram (@yush_g) for guidance and help, or join the discussion in the public channel in the PSE Discord for progress updates and community questions! This work was generously funded and supported by 0xPARC, Gitcoin donors, and EF PSE, and exists only due to the valuable work by contributors to this Github such as yush_g, Oren Yomtov, Richard Liu, Blake M Scurr, Piotr Roslaniec, Vu Voth, Weijie Koh, and Vivek Bhupatiraju who directly contributed to the code. Thanks to Poseidon Labs for a V2 proposal and Weiking Chen for his filed issues, and our auditors (0xbok), as well as all of the folks acknowledged in the research paper and blog post.
If you'd like to contribute, we offer $50 bounties in Eth/DAI for resolving any of the bugs in our issues! Each of them is quite small. That includes #28, #24, #14, and #13.
Implementations
rust-k256
: Rust, using the k256 libraryrust-arkworks
: Rust, using arkworksjavascript
: JavaScript, using MIRACL
Wallet Implementations
- Mina: Uses it for nullifiers in their code here and here. They use Poseidon for the hash function instead, which makes it slower to generate in hardware wallets, but faster to prove. Their docs for this scheme are here.
- Taho: We have an open PR that we are waiting on them to merge!
- Rabby: We have an open PR that we are waiting on them to merge!
- Metamask: We have an open PR set (rpc, api, core) that we are waiting on them to merge! Snaps dropped support for secret key access so a Metamask Snap is no longer a tenable path, although we did have a snap as well.
- Aztec: Noir implementation finished here, still pending audit.
- Ledger: This app compiles and generates PLUME signatures on embedded hardware and works on Ledgers. Test via the Ledger app builder.
- ZK Snap: The "holy grail of private voting", according to Ameen, co-author of the private voting report. Uses PLUME as a core component of an end-to-end private voting system.
Audits
We have been audited by PSE Security for these three implementations V1 and V2 implementations, as well as for V1 circuits in circom. We expect the halo2 circuits to be runnable on mobile (once we have audited that code circa ~April and put up a recursive proving infrastructure setup).
Testing the circom circuit
First, clone this repository and navigate to the javascript/
directory.
Install dependencies:
pnpm i
If you encounter an error No prebuilt binaries found
, try switching to node v18.17.0
(using n
, for example) to work around our dependency's build issue.
Then, navigate to the circuits/
directory and install the dependencies there:
pnpm i
Run the tests:
pnpm run flatten-deps && \
pnpm run test
Be prepared to wait around 20-40 minutes for the tests to complete.
Open Work
We invite contributors to collaborate on this effort. There are great tasks for beginners (the issues), a halo2 intermediate level (circuits), cryptography intermediate level (the v1 improvement to make it v2 compatible below), and on the application layer (building apps that use PLUME).
- Create a V3
- Reduce number of arguments to c in V1 via Wei Dai's + Poseidons suggestions (potentially just g^sk, h[m, pk], g^r is fine) that are currently used in the V2, and write a proof in the Algebraic Group Model for the change.
- [$500 Bounty] Fix stealthdrop MVP, the first anonymous airdrop to any Ethereum keys via PLUMEs -- repo and slides.
- [$500 Bounty] Implement ZK voting via PLUMEs, as described in Poseidons proposal.
- [$500 bounty] Implement the ZK circuits in Noir to integrate them into Aztec.
Resources
Paper
Thesis [most up to date version]: https://aayushg.com/thesis.pdf
Paper [slightly out of date]: https://eprint.iacr.org/2022/1255
Slides
Blog Post
This describes the construction as well as explains our choices for the various hash/hash-to-curve functions.
ERC 7524
ERC 7524 Taho Wallet Integration
Demo
Talk
https://www.youtube.com/watch?v=6ajBnMdJGoY
Circom Proof Data
For the V1,
See this PR.
6.5 million constraints. Mostly dominated by EC operations, but the hashes are very expensive too.
sha256 ~1.5M. hash_to_curve ~0.5M. a/b^c ~1.5 each (this is the sub circuit for the first 2 verification equations). the remaining 1.5M is probably dominated by calculating g^s and h^s.
For the V2, the sha256 is 0 cost in the circuit, but is added to the verification cost. This takes in-circuit constraints down to 5M and adds the sha to the verification.
Hash to Curve Circom Code and Explainer
https://github.com/geometryresearch/secp256k1_hash_to_curve/ https://geometry.dev/notebook/Hashing-to-the-secp256k1-Elliptic-Curve
Nullifier Calculation Spec
https://hackmd.io/uZQbMHrVSbOHvoI_HrJJlw
Circom Verification Spec
https://hackmd.io/VsojkopuSMuEA4vkYKSB8g?edit
V2 Spec and Discussion
notion.so/mantanetwork/PLUME-Discussion-6f4b7e7cf63e4e33976f6e697bf349ff
This includes some discussion on justifications for the V2 signature calculation, as well as concrete ways to use PLUME proofs + Proof of ECDSA to do nullifiers and voting respectively.