Penumbra uses the following cryptographic primitives, described in the following sections:
The Proof System section describes the choice of proving curve (BLS12-377) and proof system (Groth16, and potentially PLONK in the future);
decaf377, a parameterization of the Decaf construction defined over the BLS12-377 scalar field, providing a prime-order group that can be used inside or outside of a circuit;
The Poseidon for BLS12-377 section describes parameter selection for an instantiation of Poseidon, a SNARK-friendly sponge construction, over the BLS12-377 scalar field;
The Fuzzy Message Detection section describes a construction that allows users to outsource a probabalistic detection capability, allowing a third party to scan and filter the chain on their behalf, without revealing precisely which transactions are theirs.
The Homomorphic Threshold Decryption section describes the construction used to batch flows of value across transactions.
The Randomizable Signatures section describes
decaf377-rdsa, a variant of the Zcash RedDSA construction instantiated over
decaf377, used for binding and spend authorization signatures.
The Key Agreement section describes
decaf377-ka, an instantiation of Diffie-Hellman key agreement over