SwapClaim Descriptions

Each swap claim contains a SwapClaimBody and a zk-SNARK swap claim proof.

Invariants

The invariants that the SwapClaim upholds are described below.

Local Invariants

You cannot mint swap outputs to a different address than what was specified during the initial swap.
You cannot mint swap outputs to different assets than those specified in the original swap.
You cannot mint swap outputs to different amounts than those specified by the batch swap output data.

3.1. You can only claim your contribution to the batch swap outputs.

3.2. You can only claim the outputs using the batch swap output data for the block in which the swap was executed.
You can only claim swap outputs for swaps that occurred.
You can only claim swap outputs once.

5.1. Each positioned swap has exactly one valid nullifier for it.

5.2. No two swaps can have the same nullifier.
The SwapClaim does not reveal the amounts or asset types of the swap output notes, nor does it reveal the identity of the claimant.
The balance contribution of the value of the swap output notes is private.

Local Justification

The Swap commits to the claim address. The SwapClaim circuit enforces that the same address used to derive the swap commitment is that used to derive the note commitments for the two output notes via the Swap Commitment Integrity and Output Note Commitment Integrity checks.
The SwapClaim circuit checks that the trading pair on the original Swap is the same as that on the batch swap output data via the Trading Pair Consistency Check.
You cannot mint outputs to different amounts via:

3.1. The output amounts of each note is checked in-circuit to be only due to that user’s contribution of the batch swap output data via the Output Amounts Integrity check.

3.2. The circuit checks the block height of the swap matches that of the batch swap output data via the Height Consistency Check. The ActionHandler for the SwapClaim checks that the batch swap output data provided by the SwapClaim matches that saved on-chain for that output height and trading pair.
The SwapClaim circuit verifies that there is a valid Merkle authentication path to the swap in the global state commitment tree.
You can only claim swap outputs once via:

5.1. A swap’s transmission key binds to the nullifier key as described in the Nullifier Key Linking section, and all components of a positioned swap, along with this key, are hashed to derive the nullifier, in circuit as described below in the Nullifier Integrity section.

5.2. In the ActionHandler for check_stateful we check that the nullifier is unspent.
The revealed SwapClaim on the nullifier does not reveal the swap commitment, since the Nullifier Integrity check is done in zero-knowledge. The amount and asset type of each output note is hidden via the hiding property of the note commitments, which the claimer demonstrates an opening of via the Output Note Commitment Integrity check.
The balance contribution of the two output notes is zero. The only contribution to the balance is the pre-paid SwapClaim fee.

1.1. This action mints the swap’s output notes, and is reflected in the balance by adding the value from the transaction value balance. Value is not created due to system level invariant 1, which ensures that transactions contribute a 0 value balance.

SwapClaim zk-SNARK Statements

The swap claim proof demonstrates the properties enumerated below for the private witnesses known by the prover:

Swap plaintext corresponding to the swap being claimed. This consists of:
- Trading pair, which consists of two asset IDs $I D_{1}, I D_{2} \in F_{q}$
- Fee value which consists of an amount $v_{f}$ interpreted as an $F_{q}$ constrained to fit in 128 bits and an asset ID $I D_{v_{f}} \in F_{q}$
- Input amount $Δ_{1 i}$ of the first asset interpreted as an $F_{q}$ constrained to fit in 128 bits
- Input amount $Δ_{2 i}$ of the second asset interpreted as an $F_{q}$ constrained to fit in 128 bits
- Rseed, interpreted as an $F_{q}$
- Diversified basepoint $B_{d} \in G$ corresponding to the claim address
- Transmission key $p k_{d} \in G$ corresponding to the claim address
- Clue key $c k_{d} \in F_{q}$ corresponding to the claim address
Swap commitment $sc m \in F_{q}$
Merkle proof of inclusion for the swap commitment, consisting of a position pos constrained to fit in 48 bits and an authentication path consisting of 72 $F_{q}$ elements (3 siblings each per 24 levels)
Nullifier deriving key $nk \in F_{q}$
Spend verification key $ak \in G$
Output amount $Λ_{1 i}$ of the first asset interpreted as an $F_{q}$ constrained to fit in 128 bits
Output amount $Λ_{2 i}$ of the second asset interpreted as an $F_{q}$ constrained to fit in 128 bits
Note blinding factor $rc m_{1} \in F_{q}$ used to blind the first output note commitment
Note blinding factor $rc m_{2} \in F_{q}$ used to blind the second output note commitment

And the corresponding public inputs:

Merkle anchor $\in F_{q}$ of the state commitment tree
Nullifier $n f \in F_{q}$ corresponding to the swap
Fee to claim the outputs which consists of an amount $v_{f}$ interpreted as an $F_{q}$ constrained to fit in 128 bits and an asset ID $I D_{v_{f}} \in F_{q}$
The batch swap output data, which consists of:
- trading pair, which consists of two asset IDs $I D_{p i 1}, I D_{p i 2} \in F_{q}$
- 128-bit fixed point values (represented in circuit as four 64-bit (Boolean constraint) limbs) for the batched inputs $Δ_{1}, Δ_{2}$ , outputs $Λ_{1}, Λ_{2}$ , and the unfilled quantities $U_{1}, U_{2}$
- block height $h \in F_{q}$ constrained to fit in 64 bits
- starting height of the epoch $h_{e} \in F_{q}$ constrained to fit in 64 bits
Note commitment of the first output note $c m_{1} \in F_{q}$
Note commitment of the second output note $c m_{2} \in F_{q}$

Swap Commitment Integrity

The zk-SNARK certifies that the witnessed swap commitment $sc m$ was derived as:

$sc m_{inn er} = ha s h_{4} (d s, (I D_{1}, I D_{2}, Δ_{1}, Δ_{2}))$

$sc m = ha s h_{7} (d s, (rsee d, v_{f}, I D_{v_{f}}, B_{d}, p k_{d}, c k_{d}, sc m_{inn er}))$ .

using the above witnessed values and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.swap")) mod q

Merkle auth path verification

The zk-SNARK certifies that the witnessed Merkle authentication path is a valid Merkle path of the swap commitment to the provided public anchor.

Nullifier Integrity

The zk-SNARK certifies that the nullifier $n f$ was derived as:

$n f = ha s h_{3} (d s, (nk, c m, p os))$

using the witnessed values above and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.nullifier")) mod q

as described in Nullifiers.

Nullifier Key Linking

The zk-SNARK certifies that the diversified address $p k_{d}$ associated with the swap being claimed was derived as:

$p k_{d} = [i v k] B_{d}$

where $B_{d}$ is the witnessed diversified basepoint and $i v k$ is the incoming viewing key computed using a rate-2 Poseidon hash from the witnessed $nk$ and $ak$ as:

ivk = hash_2(from_le_bytes(b"penumbra.derive.ivk"), nk, decaf377_s(ak)) mod r

The zk-SNARK also certifies that:

$ak \neq = 0$
$p k_{d} \neq = 0$

Fee Consistency Check

The zk-SNARK certifies that the public claim fee is equal to the value witnessed as part of the swap plaintext.

Height Consistency Check

The zk-SNARK certifies that the swap commitment’s height is equal to the height of the batch swap output data (the clearing price height).

We compute the intra-epoch block height $h_{b}$ from the position $p os$ of the swap commitment and check the following identity:

$h = h_{e} + h_{b}$

where $h, h_{e}$ are provided on the batch swap output data as a public input.

Trading Pair Consistency Check

The zk-SNARK certifies that the trading pair included in the swap plaintext corresponds to the trading pair included on the batch swap output data, i.e.:

$I D_{1} = I D_{p i 1}$

$I D_{2} = I D_{p i 2}$

Output Amounts Integrity

The zk-SNARK certifies that the claimed output amounts $Λ_{1 i}, Λ_{2 i}$ were computed correctly following the pro-rata output calculation performed using the correct batch swap output data.

Output Note Commitment Integrity

The zk-SNARK certifies that the note commitments $c m_{1}$ and $c m_{2}$ were derived as:

$c m_{1} = ha s h_{6} (d s, (rc m_{1}, Λ_{1 i}, I D_{1}, B_{d}, p k_{d}, c k_{d}))$

$c m_{2} = ha s h_{6} (d s, (rc m_{2}, Λ_{2 i}, I D_{2}, B_{d}, p k_{d}, c k_{d}))$