Weikeng Chen

Lookup tables would be useful for bit decomposition of a few bits. The challenge seems to be here: the current `nonnative` library targets at general R1CS and does not assume...

And also in this reign, it would be great if there is a more generalized constraint system + a more efficient bit testing protocol (which I don't know, but there...

I assign this to myself since one of my ongoing projects needs this.

Note that the need for subgroup security depends on the specific application. For example, if one is using the BN curve, and only $G_1$ is being transmitted between malicious parties,...

And also, prevention against subgroup attacks can be done via a full membership check (which checks if the element is, not just a point on the curve, but in the...

First let me link it to the main issue: https://github.com/arkworks-rs/crypto-primitives/issues/95 Basically, the constants will change depending on the curve or the application. And as you mention, either pre-generating a bunch...

cc @weijiekoh and @kobigurk for more discussion.

Is the final step of the hash-to-curve algorithm a single exponentiation on the curve? From my understanding, the map on secp256k1 constructs a point on the curve in a way...

added that this also nicely explains the separation between the prover and the signer, as this is the same as the original undeniable signature syntax.

I think the GDH signature does provide an easy framework to describe PLUME. Interesting that none of the experts in your acknowledgment recalled GDH.