# R&D Meeting notes 2024-09-18 ## ZSA swaps With NU7 state of ZSAs, a collaborative atomic swap requires 2 Actions: - Alice_X -> Bob_X - Bob_Y -> Alice_Y An async atomic swap (a la DEX) requires 4 Actions: - Alice provides: - Alice_X -> dummy note - split note -> Alice_Y - Bob provides: - Bob_Y -> dummy note - split note -> Bob_X - DEX matches. Question: how can we enable the async atomic swap to instead only require 2 Actions: - Alice_X -> Alice_Y - Bob_Y -> Bob_X qedit's question (IIRC) was whether the marginal cost of the 4-action case (2 * 2.5 kiB) was a blocker. str4d noted that any approach towards the 2-action case would likely increase the size of the circuit, thus also having an increased cost; therefore what matters here is the relative costs between the two alternatives. ### Idea for maybe enabling 2-action DEX swaps The reason why ZSAs require split notes is that the output asset base needs to be constrained in some way to be correctly derived from an existing asset ID. Otherwise, the transaction author can create two Actions: - First action spends from asset base $B$ to related asset base $[k] B$ which overflows the value balance. - Second action spends the overflowed balance of $[k] B$ back to $B$, resulting in counterfeit $B$. Let's assume that we do allow different asset bases on the spend and output sides of an Action. Assume WLOG the spend side is constrained all the way back to a visible issuance, and just focus on the output side. If 2 users are involved in an asset swap, then if the swap balances, each user's output asset base must be "compatible" with the other user's spend base. Question: is there a way to add minimal additional constraints such that if we assume one user has set both asset bases correctly, the other user is fully constrained? - Alice_X -> Alice_Y - Bob_Y -> Bob_X $$ \begin{aligned} Alice_X &= (v_{AX}, P_{AX}) \\ Alice_Y &= (v_{AY}, P_{AY}) \\ Bob_X &= (v_{BX}, P_{BX}) \\ Bob_Y &= (v_{BY}, P_{BY}) \end{aligned} $$ Assumptions: - $P_{AX}$ is correctly constrained (by induction) to be an independent base. - $P_{BY}$ is correctly constrained (by induction) to be an independent base. - Fee is zero. Balance for the entire tx implies: $$ \begin{aligned} cv_A &= [v_{AX}] P_{AX} - [v_{AY}] P_{AY} + [r_A] R \\ cv_B &= [v_{BY}] P_{BY} - [v_{BX}] P_{BX} + [r_B] R \\ cv_A + cv_B &= [r_A + r_B] R \end{aligned} $$ Balance is intended to imply that $v_{AX} = v_{BX}$ and $v_{AY} = v_{BY}$. If we add an additional assumption: - we don't care about view consistency; - $P_{AY}$ is an independent base. Can we constrain that $P_{BX}$ is an independent base? ---- Currently: one value commitment per action New: three commitments: - $cv_b = [v_s] P_s - [v_o] P_o + [r_b] R_b$ - $cv_s = [v_s] B_s + [r_c] R_s$ - $cv_o = [v_o] B_o + [r_c] R_o$ In the context of a DEX transaction, the tx can be constructed to cross-check the values. This reveals it is a DEX transaction (which is also revealed for the 4-action case), but does not reveal amount or asset type. ---- Currently: output base = input base New: (output base = input base) or (input commits to (input base, output base)) Problem: we need to be able to spend any input note, so being able to refer to an input that commits to (input base, output base) doesn't necessarily help. But (with additional complexity) it could be used to allow an async swap to be done in three actions, not four.