This repo contains Noir libraries that implement:
- A BabyJubJub curve gadget library (group operations, subgroup checks, hash-to-curve)
- Circuits/gadgets for an OPRF flow used by the TACEO:OPRF service, including Chaum–Pedersen DLog equality verification
For a detailed writeup of the OPRF protocol we refer to the paper.
This repository contains two independent Nargo packages:
-
babyjubjub/(library)- Twisted Edwards BabyJubJub operations (
BabyJubJubPoint): add/double/negate, scalar mul (variable-base) - Subgroup check (
check_sub_group) and scalar-field validation helpers - Hash-to-curve (
hash_to_curve::encode) based on Elligator2 (RFC 9380 style mapping) with cofactor clearing - Optimized fixed-base multiplication for the generator (
generator_scalar_mul) using a window method
- Twisted Edwards BabyJubJub operations (
-
oprf/(library)blinded_query: derives the blinded query pointdlog: verifies a Chaum–Pedersen discrete-log equality proof using Poseidon2 as the challenge hashoprf_output: end-to-end gadget that checks the proof + unblinding and computes the final output
-
oprf_example/(binary)- a simple example binary demonstrating the
oprfgadgets end-to-end
- a simple example binary demonstrating the
At a high level, the oprf library helps prove (in-circuit) that:
- A client input
$q$ was mapped to a BabyJubJub point$Q = encode(q)$ . - The client blinded the query with randomness
$\beta$ to get$b_q = \beta \cdot Q$ . - The OPRF servers responded with a blinded response and a Chaum–Pedersen proof showing consistency with their public key.
- The client unblinded the response off-circuit (to avoid in-circuit inversion) and the circuit verifies the unblinding.
- The verified output is derived as a Poseidon2 hash of a domain separator, the query, and the unblinded response point coordinates.
We provide a justfile in the root of the repository. Write just in your terminal to execute the tests. In case you do not have an installation of just, you can cd into the directories and write
nargo test