# SwapClaim Descriptions

Each swap claim contains a SwapClaimBody and a zk-SNARK swap claim proof.

## SwapClaim zk-SNARK Statements

The swap claim proof demonstrates the properties enumerated below for the private witnesses known by the prover:

- Swap plaintext corresponding to the swap being claimed. This consists of:
- Trading pair, which consists of two asset IDs $ID_{1},ID_{2}∈F_{q}$
- Fee value which consists of an amount $v_{f}$ interpreted as an $F_{q}$ and an asset ID $ID_{v_{f}}∈F_{q}$
- Input amount $Δ_{1i}$ of the first asset interpreted as an $F_{q}$
- Input amount $Δ_{2i}$ of the second asset interpreted as an $F_{q}$
`Rseed`

, interpreted as an $F_{q}$- Diversified basepoint $B_{d}∈G$ corresponding to the claim address
- Transmission key $pk_{d}∈G$ corresponding to the claim address
- Clue key $ck_{d}∈F_{q}$ corresponding to the claim address

- Swap commitment $scm∈F_{q}$
- Merkle proof of inclusion for the swap commitment, consisting of a position
`pos`

and an authentication path consisting of 72 $F_{q}$ elements (3 siblings each per 24 levels) - Nullifier deriving key $nk∈F_{q}$
- Output amount $Λ_{1i}$ of the first asset interpreted as an $F_{q}$
- Output amount $Λ_{2i}$ of the second asset interpreted as an $F_{q}$
- Note blinding factor $rcm_{1}∈F_{q}$ used to blind the first output note commitment
- Note blinding factor $rcm_{2}∈F_{q}$ used to blind the second output note commitment

And the corresponding public inputs:

- Merkle anchor $∈F_{q}$ of the state commitment tree
- Nullifier $nf$ corresponding to the swap
- Fee to claim the outputs which consists of an amount $v_{f}$ interpreted as an $F_{q}$ and an asset ID $G_{v_{f}}∈G$
- The batch swap output data, which consists of:
- trading pair, which consists of two asset IDs $ID_{pi1},ID_{pi2}∈F_{q}$
- 128-bit fixed point values (represented in circuit as four 64-bit (Boolean constraint) limbs) for the batched inputs $Δ_{1},Δ_{2}$, outputs $Λ_{1},Λ_{2}$, and the unfilled quantities $U_{1},U_{2}$
- block height $h∈F_{q}$
- starting height of the epoch $h_{e}∈F_{q}$

- Note commitment of the first output note $cm_{1}∈F_{q}$
- Note commitment of the second output note $cm_{2}∈F_{q}$

### Swap Commitment Integrity

The zk-SNARK certifies that the witnessed swap commitment $scm$ was derived as:

$scm_{inner}=hash_{4}(ds,(ID_{1},ID_{2},Δ_{1},Δ_{2}))$

$scm=hash_{7}(ds,(rseed,v_{f},G_{v_{f}},B_{d},pk_{d},ck_{d},scm_{inner}))$.

using the above witnessed values and where `ds`

is a constant domain separator:

`ds = from_le_bytes(BLAKE2b-512(b"penumbra.swap")) mod q`

### Merkle auth path verification

The zk-SNARK certifies that the witnessed Merkle authentication path is a valid Merkle path of the swap commitment to the provided public anchor.

### Nullifier Integrity

The zk-SNARK certifies that the nullifier $nf$ was derived as:

$nf=hash_{3}(ds,(nk,cm,pos))$

using the witnessed values above and where `ds`

is a constant domain separator:

`ds = from_le_bytes(BLAKE2b-512(b"penumbra.nullifier")) mod q`

as described in Nullifiers.

### Fee Consistency Check

The zk-SNARK certifies that the public claim fee is equal to the value witnessed as part of the swap plaintext.

### Height Consistency Check

The zk-SNARK certifies that the swap commitment’s height is equal to the height of the batch swap output data (the clearing price height).

We compute the intra-epoch block height $h_{b}$ from the position $pos$ of the swap commitment and check the following identity:

$h=h_{e}+h_{b}$

where $h,h_{e}$ are provided on the batch swap output data as a public input.

### Trading Pair Consistency Check

The zk-SNARK certifies that the trading pair included in the swap plaintext corresponds to the trading pair included on the batch swap output data, i.e.:

$ID_{1}=ID_{pi1}$

$ID_{2}=ID_{pi2}$

### Output amounts integrity

The zk-SNARK certifies that the claimed output amounts $Λ_{1i},Λ_{2i}$ were computed correctly following the pro-rata output calculation performed using the correct batch swap output data.

### Output Note Commitment Integrity

The zk-SNARK certifies that the note commitments $cm_{1}$ and $cm_{2}$ were derived as:

$cm_{1}=hash_{6}(ds,(rcm_{1},Λ_{1i},ID_{1},B_{d},pk_{d},ck_{d}))$

$cm_{2}=hash_{6}(ds,(rcm_{2},Λ_{2i},ID_{2},B_{d},pk_{d},ck_{d}))$

using the above witnessed values and where `ds`

is a constant domain separator:

`ds = from_le_bytes(BLAKE2b-512(b"penumbra.notecommit")) mod q`