SwapClaim Descriptions

Each swap claim contains a SwapClaimBody and a zk-SNARK swap claim proof.

SwapClaim zk-SNARK Statements

The swap claim proof demonstrates the properties enumerated below for the private witnesses known by the prover:

• Swap plaintext corresponding to the swap being claimed. This consists of:
  • Trading pair, which consists of two asset IDs $I{D}_1,I{D}_2\in {\mathbb{F}}_q$
  • Fee value which consists of an amount $v_f$ interpreted as an ${\mathbb{F}}_q$ and an asset ID $I{D}_{v_f}\in {\mathbb{F}}_q$
  • Input amount ${\Delta }_{1i}$ of the first asset interpreted as an ${\mathbb{F}}_q$
  • Input amount ${\Delta }_{2i}$ of the second asset interpreted as an ${\mathbb{F}}_q$
  • Rseed, interpreted as an ${\mathbb{F}}_q$
  • Diversified basepoint $B_d\in \mathbb{G}$ corresponding to the claim address
  • Transmission key $p{k}_d\in \mathbb{G}$ corresponding to the claim address
  • Clue key $\mathsf{c}{\mathsf{k}}_{\mathsf{d}}\in {\mathbb{F}}_q$ corresponding to the claim address
• Swap commitment $scm\in {\mathbb{F}}_q$
• Merkle proof of inclusion for the swap commitment, consisting of a position pos and an authentication path consisting of 72 ${\mathbb{F}}_q$ elements (3 siblings each per 24 levels)
• Nullifier deriving key $nk\in {\mathbb{F}}_q$
• Output amount ${\Lambda }_{1i}$ of the first asset interpreted as an ${\mathbb{F}}_q$
• Output amount ${\Lambda }_{2i}$ of the second asset interpreted as an ${\mathbb{F}}_q$
• Note blinding factor $rc{m}_1\in {\mathbb{F}}_q$ used to blind the first output note commitment
• Note blinding factor $rc{m}_2\in {\mathbb{F}}_q$ used to blind the second output note commitment

And the corresponding public inputs:

• Merkle anchor $\in {\mathbb{F}}_q$ of the state commitment tree
• Nullifier $nf$ corresponding to the swap
• Fee to claim the outputs which consists of an amount $v_f$ interpreted as an ${\mathbb{F}}_q$ and an asset ID $G_{v_f}\in \mathbb{G}$
• The batch swap output data, which consists of:
  • trading pair, which consists of two asset IDs $I{D}_{pi1},I{D}_{pi2}\in {\mathbb{F}}_q$
  • 128-bit fixed point values (represented in circuit as four 64-bit (Boolean constraint) limbs) for the batched inputs ${\Delta }_1,{\Delta }_2$, outputs ${\Lambda }_1,{\Lambda }_2$, and the unfilled quantities $U_1,U_2$
  • block height $h\in {\mathbb{F}}_q$
  • starting height of the epoch $h_e\in {\mathbb{F}}_q$
• Note commitment of the first output note $c{m}_1\in {\mathbb{F}}_q$
• Note commitment of the second output note $c{m}_2\in {\mathbb{F}}_q$

Swap Commitment Integrity

The zk-SNARK certifies that the witnessed swap commitment $scm$ was derived as:

$sc{m}_{inner}=has{h}_4(ds,(I{D}_1,I{D}_2,{\Delta }_1,{\Delta }_2))$

$scm=has{h}_7(ds,(rseed,v_f,G_{v_f},B_d,p{k}_d,\mathsf{c}{\mathsf{k}}_{\mathsf{d}},sc{m}_{inner}))$.

using the above witnessed values and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.swap")) mod q

Merkle auth path verification

The zk-SNARK certifies that the witnessed Merkle authentication path is a valid Merkle path of the swap commitment to the provided public anchor.

Nullifier Integrity

The zk-SNARK certifies that the nullifier $nf$ was derived as:

$nf=has{h}_3(ds,(nk,cm,pos))$

using the witnessed values above and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.nullifier")) mod q

as described in Nullifiers.

Fee Consistency Check

The zk-SNARK certifies that the public claim fee is equal to the value witnessed as part of the swap plaintext.

Height Consistency Check

The zk-SNARK certifies that the swap commitment’s height is equal to the height of the batch swap output data (the clearing price height).

We compute the intra-epoch block height $h_b$ from the position $pos$ of the swap commitment and check the following identity:

$h=h_e+h_b$

where $h,h_e$ are provided on the batch swap output data as a public input.

Trading Pair Consistency Check

The zk-SNARK certifies that the trading pair included in the swap plaintext corresponds to the trading pair included on the batch swap output data, i.e.:

$I{D}_1=I{D}_{pi1}$

$I{D}_2=I{D}_{pi2}$

Output amounts integrity

The zk-SNARK certifies that the claimed output amounts ${\Lambda }_{1i},{\Lambda }_{2i}$ were computed correctly following the pro-rata output calculation performed using the correct batch swap output data.

Output Note Commitment Integrity

The zk-SNARK certifies that the note commitments $c{m}_1$ and $c{m}_2$ were derived as:

$c{m}_1=has{h}_6(ds,(rc{m}_1,{\Lambda }_{1i},I{D}_1,B_d,p{k}_d,c{k}_d))$

$c{m}_2=has{h}_6(ds,(rc{m}_2,{\Lambda }_{2i},I{D}_2,B_d,p{k}_d,c{k}_d))$

using the above witnessed values and where ds is a constant domain separator:

ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q