Poseidon2 + Grumpkin = Pumpkin 🎃
Plume using the Grumpkin curve, Poseidon2 hash, and a map-to-curve approach specifically for BN curves.
These choices of curve and hash seek to minimise constraint counts in circuits. The last I measured, it's ~3300 constraints to verify a plume nullifier with this approach.
This approach has been written quickly, with no review. It will have bugs. The approach might not even be sound. Don't use it.
Forked from https://github.com/distributed-lab/noir-plume. The lovely repo layout remains. The code relating to secp256k1, sha256, byte manipulation, and the map-to-curve approach using secp256k1 isogenies, has all been removed. The Sage code also remains, with modifications and additions for Grumpkin, Poseidon2, and map-to-curve.
Retaining the original license, for simplicity:
Plume is needed to confirm your identity without disclosing your private data, i.e. zero-knowledge proof. Plume has another feature: you can send a message from a private group using special group message. For more details visit https://blog.aayushg.com/nullifier/.
TODO
See the example in crates/use.
For proving data generation, check out our SageMath implementation.
TODO. Headline: it's about 3300 constraints.
TODO
- https://www.di.ens.fr/~fouque/pub/latincrypt12.pdf
- https://www.normalesup.org/~tibouchi/papers/bnhash-scis.pdf
- https://blog.aayushg.com/nullifier/#why-use-sha256-as-the-hash-function
- https://github.com/geometryxyz/secp256k1_hash_to_curve?tab=readme-ov-file
- https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/blob/main/poc/README.md
- https://www.rfc-editor.org/rfc/rfc9380#name-bls12-381-g1
- https://github.com/distributed-lab/noir-plume