darkfi/script/research/bulletproof-mpc/README.md

darkpool for drk

renegade for dummies

• renegade¹ implemented for erc20 transparent token to be swapped between two parties, each party create a wallet W = (B,O,F,K,r) of balance, order, fee, public keys, blinding value with transition state for every internal (within-darkpool) T_I=(\tilde{m_I},\tilde{v_i}) encrypted by the receiver key, or external transaction (transparent) T_E=(\tilde{m_E},\tilde{v_E},\tilde{d_E}), each trader picks order o to be matched, it's corresponding covering balance b, and fee f, blinding r, and create commitments to o, b, f, r as H_o, H_b, H_f, H_r and a VALID-COMMITMENT zk-snark proof that those commitments are derived from known private witnesses.
• from on-chain published VALID-COMMITMENT counterparties validate it's valid, and start matching process.
• reconstruct commitment over MPC through secret shares [o], [b], [f], [r], first construct match tuple M=(\tilde{m_1}, \tilde{m_2}, \tilde{v_1}, \tilde{v_2}, d, f_1, f_2) validate exchange coins match, v_1==v_2, directions, and that fee covers relay fee. reconstruct commitments shares H_{o_1}, H_{b_1}, H_{f_1}, H_{o_2}, H_{b_2}, H_{f_2}, open shares through third party, then exchange notes.

renegade performance

• both bulletproof over mpc, and collaborative zksnark over mpc are 2 times proving, and verifying of single prover proof ² ,³

dark renegade

• internal, and external wallet update state T_I, T_E are replaced by drk money transfer contract.
• eliminate third-party for opening shares using witness encryption.

framework

• mpc-stark⁴ is spdz mpc built over stark-curve (curve can change), we have sage implementation ⁵
• mpc-bulletproof⁶ mpc r1cs with mpc inner product proof built over mpc-stark, we have sage implementation of the ipp ⁷
• plug darkfi-p2p network into mpc-bulletproof
• fork renegade⁸
  • if the aim is to use halo2 proof zk-proofs, fork mpc-stark, and replace stark-curve with pallas-curve.
  • rewrite renegade zk-snark proofs with darkfi compiler
  • replace wallet update with money transfer contracts

open fairness

• opening shares between two strategic players in p2p network without a third-party is impossible ⁹ .
• one turn around is witness encrypting (WE) ¹⁰ ,¹¹ ,¹² the match shares for which the other party encrypt with witness (the other share), and the opposite for the peer ¹³

---

1. https://renegade.fi/whitepaper.pdf ↩︎

2. https://eprint.iacr.org/2021/1530 ↩︎

3. https://github.com/renegade-fi/mpc-bulletproof/pull/14 ↩︎

4. https://github.com/renegade-fi/mpc-stark ↩︎

5. https://github.com/darkrenaissance/darkfi/tree/master/script/research/mpc ↩︎

6. https://github.com/renegade-fi/mpc-bulletproof ↩︎

7. https://github.com/darkrenaissance/darkfi/tree/master/script/research/bulletproof-mpc ↩︎

8. https://github.com/renegade-fi/renegade ↩︎

9. https://kodu.ut.ee/~swen/courses/crypto-ii/2008/cleve1986.pdf ↩︎

10. https://eprint.iacr.org/2013/258.pdf ↩︎

11. https://arxiv.org/pdf/2112.04581.pdf ↩︎

12. https://github.com/guberti/witness-encryption-demos ↩︎

13. https://eprint.iacr.org/2017/1091.pdf ↩︎