Zswap
Supporting multiple asset types and enabling atomic swaps are crucial for enabling use cases such as decentralized finance (DeFi), which Midnight does with the added benefit of data protection. Midnight uses Zswap to provide this functionality.
Atomic swaps
An atomic swap is an all-or-nothing transaction. Suppose Alice wants some fishing gear, and Bob has some unsold gear in his shop. They agree on this transaction:
Rod $600.00, reel $300.00, tackle $100.00.
Alice hadn’t planned to spend this much so she has only $700 in unspent cash, and she uses $300 of the unused credit on her card. The transaction is an atomic swap because it is not complete until Alice has all the gear and Bob has both the cash and the electronic funds.
Even though this is a legal transaction, there may be some privacy requirements. Bob is happy to share the details with his accountant and the tax office, but not with his competitor. Alice is happy to share with her partner, but not so much with her sister who might make unwelcome comments about how many servings of fish and chips $1000 would buy.
In the case of a transaction carried out on a decentralized, permissionless blockchain, the concepts are similar but the details differ. Bob and Alice might agree to exchange unspent transaction outputs (UTXOs) such as 600 of coin B1, 300 of B2, and 100 of B3 from Bob in exchange for 7,000,000 of coin A1 from Alice. An atomic swap is required to complete the transaction. This transaction could have a significant effect on the price of coin A1. Consider a miner that observes this buy order. The miner can buy that asset early and cheaply before the order drives up the price of the asset. Shielded swaps of assets can mitigate such attacks.
How Zswap helps
Midnight uses Zswap – a transaction scheme that provides a provably secure and data-protecting mechanism for atomic asset swaps. Based on the Zerocash protocol, Zswap enables the merging of transactions while preserving the confidentiality of data. Zswap provides a mechanism for supporting multiple asset types and facilitating atomic swaps, thereby offering a scalable and secure solution for DeFi applications.
Figure 1. Simple Zswap example
Figure 1 provides a simple example of how Zswap works. Let’s say both Alice and Bob prepare transactions. Alice intends to pay three dollars for five euros, while Bob intends to pay five euros for three dollars. Prior to these transactions becoming visible to others, they employ zero-knowledge proofs to ensure their anonymity on the network.
Then, Zswap facilitates the merging of these two transactions, enabling an atomic swap between Alice and Bob. This process ensures complete concealment of the swapped assets, maintaining data confidentiality.
Key features and benefits of Zswap
| Feature | Benefit |
|---|---|
| Confidentiality: Zswap uses ZK Snarks to ensure that transactions are confidential. | Transaction details, such as the sender, receiver, and transaction amount, are kept confidential and not visible on the blockchain. |
| Multiple assets and atomic exchanges: Zswap supports the ability to exchange multiple assets in a single transaction, and it also allows for atomic exchanges. | Atomic exchanges ensure that either both transactions occur or neither occurs, avoiding partial or incomplete transactions. |
| Efficient swaps: Zswap utilizes sparse homomorphic commitments with aggregated open randomness, which allows for efficient swaps between different assets. | This means that Zswap transactions can be processed quickly and with low transaction fees. |
| Provably secure: Zswap is designed to be provably secure, meaning that the security of the transactions can be mathematically verified. | This ensures that the transactions conducted using Zswap are secure and cannot be tampered with. |
| Based on existing code bases and implementation expertise: Zswap benefits from existing code bases and implementation expertise from Zcash Sapling, which is a Zcash data protection feature. | This helps to ensure that Zswap is built on a solid foundation and has undergone thorough testing and development. |
In the Zswap protocol, transactions are carefully designed to be malleable, allowing them to be merged while maintaining user confidentiality. The transaction data is separated from the signature, which is a key insight borrowed from the Zcash ecosystem. This separation enables the use of non-interactive zero-knowledge proofs (NIZK) for validation, eliminating the need for slow multi-party computation (MPC) protocols commonly used in other solutions. The Zcash Sapling framework, with its signature separation and homomorphic commitments, serves as an important inspiration for Zswap.
To achieve the desired properties of multi-asset support and atomic swaps, Zswap leverages sparse multi-value Pedersen commitments and relaxes the signature requirements. The use of sparse commitments enables the non-interactive merging of transactions, facilitating the exchange of different assets between parties who don’t know each other. The protocol ensures that transactions only reveal an imbalance map for each asset, where the sum of inputs is not equal to the sum of outputs. This imbalance does not reveal specific amounts and types of assets, ensuring sender/receiver confidentiality and subsequent correlation of spending.
With Zswap, basic functionality for local exchange markets is established, where users can send exchange offers, and selected participants can match and merge these offers off-chain before submitting them to the blockchain. The system's confidentiality is controlled by users, and the information revealed during the matching process is minimal and erased once the transaction is balanced and sent to the ledger. Partial merges drop any types with zero imbalances, while larger exchange pools can provide liquidity and maintain public order books similar to traditional exchanges.
Zswap contributes the following to Midnight:
- Formal model: Zswap introduces a formal model for a multi-asset Zcash system with swaps, built on top of the One-Time Account (OTA) system, which abstracts a nullifier-like private UTXO mechanism. The OTA model and the proof techniques used in Zswap have independent significance and can be applied to proving the security of systems like Zcash and Monero.
- Practical instantiation: Zswap provides a practical implementation of private non-interactive atomic swaps. It simplifies the Zcash framework by removing authorization and blinding signatures while preserving security.
- Security: The Zswap construction is proven secure under commonly used assumptions similar to those employed in Zerocash. The removal of Zcash signatures is validated, demonstrating that the perfect hiding and binding properties of spend and output commitments are sufficient for ensuring security.
- Implementation and evaluation: Zswap has been implemented and evaluated, demonstrating that the merging mechanism is highly effective and that the performance overhead compared to the basic single-asset protocol without swaps is minimal.
Overall, Zswap offers a promising solution for privacy-oriented atomic swaps and provides a foundation for the development of data protection token mechanisms with multi-asset support and strong privacy guarantees.
For more details, read the Zswap: ZK Snark Based Non-Interactive Multi-Asset Swaps’ research paper.