Private order matching & zk atomic swap

Private order matching uses the 'Socialist Millionare' protocol to match the trade orders without revealing the details. The matched result can also be used to enforce a zk transfer pool to execute a zk atomic swap correctly.

Private order matching

Step 1. Make a new order

Let's assume that Alice wants to get 100 DAI by giving 1 ETH. And Bob wants to get 1 ETH by giving 100 DAI.

Alice's order: 'GET DAI' (1, 100)(ETH/DAI)
Bob's order: 'GET ETH' (1, 100)(ETH/DAI)

sell = field('GET DAI')
buy = field('GET ETH')
order = field('(1, 100)(ETH/DAI)')

What only Alice knows	What everyone knows	What only Bob knows
\(order_a\)	\(sell\), \(buy\), \(pk_a\), \(pk_b\)	\(order_b\)

Step 2. Create the homomorphic hidings for each other.

In this situation, Alice and Bob will generates new homomorphic hidings for the 'socialist millionare' protocol using their own salts and each other's public key. As a result, each homomorphic hidings are below:

Alice's homomorphic hiding: \(H_a = g^{sell \cdot pk_b \cdot salt_{a} \cdot order_a}\)
Alice's public salt: \(S_a = g^{sell \cdot pk_b \cdot salt_{a}}\)
Bob's homomorphic hiding: \(H_b = g^{buy \cdot pk_a \cdot salt_{b} \cdot order_b}\)
Bob's public salt: \(S_b = g^{buy \cdot pk_a \cdot salt_{b}}\)

And they share their homomorphic hidings each other.

What only Alice knows	What everyone knows	What only Bob knows
\(order_a\), \(salt_a\)	\(sell\), \(buy\), \(pk_a\), \(pk_b\), \(H_a\), \(H_b\), \(S_a\), \(S_b\)	\(order_b\), \(salt_b\)

Step 3. Alice and Bob checks that they have a same order.

Now using the given values, Alice and Bob check that they have a same order by themselves.

If Alice's calculation \(H_b == order_a \cdot S_b\) is true, she knows that \(order_a == order_b\).
If Bob calculate \(H_a == order_b \cdot S_a\) is true, he also knows that \(order_b == order_a\).
Now they know that they have a same order each other.

What Alice only knows	What everyone knows	What Bob only knows
\(order_a\), \(salt_a\) , \(order_a \cdot S_b == H_b\)	\(sell\), \(buy\), \(pk_a\), \(pk_b\), \(H_a\), \(H_b\), \(S_a\), \(S_b\)	\(order_b\), \(salt_b\), \(order_b \cdot S_a == H_a\)

Using \(H\) for zk atomic swap

To make the atomic swap happen with the matched order, use the combined homomorphic hiding \(H\) to combine 2 zk transfers. Here \(H\) equals to the below:

\(H = g^{sell \cdot buy \cdot pk_a \cdot pk_b \cdot salt_a \cdot salt_b \cdot order}\)

And then Alice's and Bob's zk transfers for the atomic swap should look like this:

Alice's zk transfer for the atomic swap

- NoteA1(input)	+ NoteA2(output)	+ NoteA3(output)	Sum
ETH: 3	ETH: 2	ETH: 1	0
DAI: 500	DAI: 500	DAI: 0	0
Owner: Alice	Owner: Alice	Owner: Bob

Bob's zk transfer for the atomic swap

- NoteB1(input)	+ NoteB2(output)	+ NoteB3(output)	Sum
ETH: 8	ETH: 8	ETH: 0	0
DAI: 900	DAI: 800	DAI: 100	0
Owner: Bob	Owner: Bob	Owner: Alice

In this pair, Alice splits her asset into two notes and give one to Bob. Otherwise, Bob also split his assets and give one to Alice. The newly exchanging notes should have the same information in the homomorphicall hidden commitment \(H\).

Alice's SNARK

public inputs:
    Note A1's nullifier
    Note A2's hash
    Note A3's hash
    H<=(sell, buy, pk_a, pk_b, salt_a, salt_b, order)

private inputs:
    Note A1's details [3, 500, Alice]
    Note A1's spending signature from Alice's key
    Note A2's details [2, 500, Alice]
    Note A3's details [1, 0, Bob]
    Bob's public key [pk_b]
    Bob's public salt S_b<=(buy, pk_a, salt_b)
    order [1, 100] = (order_x, order_y)
    salt_a
    
Constraints:
    1. The hash of Note A1, A2, and A3 are all valid.
    2. Note A1's included in the shielded pool.
    3. Note A1's nullifier is correctly derived from the A1's details.
    4. output notes - input notes == 0 (A2 + A3 - A1 == 0)
    5. A3's owner == pk_b
    6. A3's value == if 'sell' then (order_x, 0) else (0, order_y)
    7. if sell:
            H == sell * pk_b * salt_a * order * S_b
       elif buy: 
            H == buy * pk_b * salt_a * order * S_b

Bob's SNARK

public inputs:
    Note B1's nullifier
    Note B2's hash
    Note B3's hash
    H<=(sell, buy, pk_a, pk_b, salt_a, salt_b, order)

private inputs:
    Note B1's details [8, 900, Bob]
    Note B1's spending signature from Alice's key
    Note B2's details [8, 800, Bob]
    Note B3's details [8, 100, Alice]
    Alice's public key [pk_a]
    Alice's public salt S_a<=(buy, pk_b, salt_a)
    order [1, 100] = (order_x, order_y)
    salt_a
    
Constraints:
    1. The hash of Note B1, B2, and B3 are all valid.
    2. Note B1's included in the shielded pool.
    3. Note B1's nullifier is correctly derived from the B1's details.
    4. output notes - input notes == 0 (B2 + B3 - B1 == 0)
    5. B3's owner == pk_a
    6. B3's value == if 'sell' then (order_x, 0) else (0, order_y)
    7. if sell:
            H == sell * pk_a * salt_b * order * S_a
       elif buy: 
            H == buy * pk_a * salt_b * order * S_a

With this construction, we can let Alice and Bob match their order privately and also execute the zk atomic swap.

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.