Grants Proposal #011 - Unique Pseudonymity with PLUME Nullifiers

Team Ivy Research

Project Name Unique Pseudonymity with PLUME Nullifiers

Project Description

Zero knowledge identity systems based on anonymous proof-of-ownership are poised to be an interesting social experimentation tool in the coming years. For instance, a message board where you prove you own an NFT to participate in that DAO’s discussions but don’t reveal who you are. You could also have a message board where you can attach some proof of credibility like evidence of a past Ethereum action. In order to unleash the full power of these systems, you need moderation: the only way to store anonymous reputation or to anonymously ban is to have some unique value on each account that gives them deterministic anonymity.

You might also want to vote anonymously -- to gate an anonymous voting system by coin or NFT ownership for instance, you need a system that keeps people anonymous but prevents double voting. Finally, you might want anonymous proof of solvency for a DEX, but ensure that two DEXes can privately prove they aren't using the same account in any of their proofs.

ECDSA signatures are not enough for this, and so our goal is to add a new signature scheme directly on existing Ethereum keys that enable this. PLUME nullifiers give such a value, which is useful for sybil resistance, reputation across pseudonymous posts, or preventing pseudonymous double voting or spending with Ethereum keys. Signatures via ECDSA are useful to prove ownership of signed data, but they are nondeterministic, meaning a signer can produce an arbitrary number of signatures for a message (even for deterministic ECDSA). We ultimately enable unique pseudonymity by deploying verifiably unique signatures on Ethereum (PLUMEs). This grant will fund the team to ship these signatures for all Ethereum keys in Metamask natively, as well as propose an EIP to standardize this across wallets.

We hope that this proposal can ensure Metamask maintains relevance as ZK applications start to dominate the landscape of emerging Ethereum applications.

Project Goals

A successful conclusion of the project in the scope of this Metamask grant will encompass the following from PLUME's side:

1. A PR (hopefully merged) of a Metamask snap of the PLUME nullifier scheme, in Javascript

2. Circom circuits and a solidity verifier, used to demonstrate an end-to-end zero knowledge proof demo of the nullifier scheme

3. An ERC draft ready to be reviewed by Ethereum stakeholders.

4. A simple proof of concept application (stealthdrop, or private voting) built with this nullifier scheme

5. An audit of the end to end code

6. A PR (hopefully merged) of a Metamask core integration of the PLUME nullifier scheme, in Javascript

The Metamask team will hopefully have

1. Helped to edit the ERC draft and ideally co-sponsored the ERC post.
2. Merged the metamask snap, and begun the process of reviewing the PR into Metamask core.

In the past, we have constructed a Rust-WASM Metamask snap to perform this scheme, which used a WASM port of existing Rust code. We have already discussed (with the snaps and Metamask team) the reasons to be in core, but recent Metamask shifts to prioritize snaps mean that we will ship that first, while advocating for core integration.

Target Milestones

We expect the milestones to be accomplished in the order of our deliverables, 1, 2, 3, and 4. 5 will be started, and 6 will depend on the metamask team.

Timeline / Path to Production

We hope that milestones 1-4 can be completed in 3 months after receiving the grant. We hope the process for 5 and 6 has begun, but those depend on external parties. The funds will be disbursed by Ivy Research, which we hope can help fund contributor grants and its applications. Money will also go towards funding conference travel related to PLUME, as well as audit costs.

About Team

Aayush Gupta: Working with Ivy Research (ivyresearch.org) to advance signature-based identity constructions. Previously worked with 0xPARC and MIT on various zero knowledge projects. Co-shipped a zk message board prototype 2 years ago (zkmessage.aayushg.com/), co-shipped stealthdrop with a team of 3 with the existential bug that motivates this construction (stealthdrop.xyz), co-shipped private vickrey auctions with a team of 5 (vickrey.xyz), co-wrote the paper motivating this construction along with the first Rust proof of concept (aayushg.com/thesis.pdf), and lectured at MIT about applied zk cryptography (zkiap.aayushg.com).

Richard Liu: Has worked on encrypted end-to-end email at Skiff for over a year, helped run protocol governance as part of Blockchain @ Berkeley, and graduated from Berkeley M.E.T..

Other team members who have contributed include Kobi Gurkan (helped write the original paper and helped come up with the original construction), Wei Jie Koh (wrote the hash-to-curve part of the circom proving code with Geometry Research and an arkworks implementation), Blake M Scurr (wrote ZK circuits), Vivek B (helped write original proofs and strategy), Vu V (OSS bugfix contributions), and Piotr Roslaniec (wrote an early Rust-based Metamask snap).

Funding Request

$35,000.00 *$15,000 will go towards developer costs and grants, and $20,000 will go towards a security audit.

What specific software license does the grantee intend to publish under?

We will use the most permissive licenses possible. We intend to do MIT license for everything we can MIT license (i.e. our repos), and GPL-3 for all of the code that requires GPL-3 as mandated by dependencies.

Other Information / Relevant Links / Supporting Documents

We have previously published work with Metamask in this blog post:

https://metamask.io/news/developers/zk-nullifier-snap-enabling-the-next-generation-of-pseudonymous-apps/ and in this video: https://www.youtube.com/watch?v=TEfvAKeu8s8 .

Youtube - ZK8: A New ZK Nullifier Signature for ECDSA - Aayush Gupta - 0xPARC https://www.youtube.com/watch?v=6ajBnMdJGoY&