Swap Descriptions

Each swap contains a SwapBody and a zk-SNARK swap proof.

Swap zk-SNARK Statements

The swap proof demonstrates the properties enumerated below for the private witnesses known by the prover:

• Swap plaintext which consists of:
  • Trading pair, which consists of two asset IDs $I{D}_1,I{D}_2\in {\mathbb{F}}_q$ with asset-specific generators $G_1,G_2\in \mathbb{G}$
  • Fee value which consists of an amount $v_f$ interpreted as an ${\mathbb{F}}_q$ and an asset ID $I{D}_{v_f}\in {\mathbb{F}}_q$ with asset-specific generator $G_{v_f}\in \mathbb{G}$
  • Input amount of the first asset $v_1$ interpreted as an ${\mathbb{F}}_q$
  • Input amount of the second asset $v_2$ interpreted as an ${\mathbb{F}}_q$
  • Rseed, interpreted as an ${\mathbb{F}}_q$
  • Diversified basepoint $B_d\in \mathbb{G}$ corresponding to the claim address
  • Transmission key $p{k}_d\in \mathbb{G}$ corresponding to the claim address
  • Clue key $\mathsf{c}{\mathsf{k}}_{\mathsf{d}}\in {\mathbb{F}}_q$ corresponding to the claim address
• Fee blinding factor $\widetilde{v_f}\in {\mathbb{F}}_r$ used to blind the fee commitment

And the corresponding public inputs:

• Balance commitment $cv\in G$ to the value balance
• Fee commitment $c{v}_f\in G$ to the value of the fee
• Swap commitment $scm\in {\mathbb{F}}_q$

Swap Commitment Integrity

The zk-SNARK certifies that the public input swap commitment $scm$ was derived as:

$sc{m}_{inner}=has{h}_4(ds,(I{D}_1,I{D}_2,v_1,v_2))$

$scm=has{h}_7(ds,(rseed,v_f,I{D}_{v_f},B_d,p{k}_d,\mathsf{c}{\mathsf{k}}_{\mathsf{d}},sc{m}_{inner}))$.

using the above witnessed values and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.swap")) mod q

Fee Commitment Integrity

The zk-SNARK certifies that the public input fee commitment $c{v}_f$ was derived from the witnessed values as:

$c{v}_f=[-v_f]G_{v_f}+[\widetilde{v_f}]G_{\tilde{v}}$

where $G_{\tilde{v}}$ is a constant generator and $G_{v_f}$ is an asset-specific generator point derived as described in Value Commitments.

Balance Commitment Integrity

The zk-SNARK certifies that the total public input balance commitment $cv$ was derived from the witnessed values as:

$cv=[-v_1]G_1+[-v_2]G_2+c{v}_f$

where the first two terms are from the input amounts and assets, and $c{v}_f$ is the fee commitment.