We instantiate our zero knowledge proof system $(P, V)$ over the curve bn128
. All variables are in its scalar field $F$.
An order is represented as the following object, with a transparent structure $t$ and shielded structure $s$:
with the following definitions:
$\phi$: side of the order, 0 when it's a bid, 1 when it's an ask
$\chi$: token address for the target project
$d$: denomination, either the token address of USDC or ETH (set to 0x1
for this case)
$p$: price, denominated in $d$, with scaling factor $10^9$ but only $10^7$ precision
$v$: volume, amount of token to exchange, with scaling factor $10^9$
$\alpha$: access key, randomly sampled from $F$, protects against brute force attacks, meant to be revealed to counterparties
We employ a cryptographic hash function $H$ to create hiding commitments for the shielded structure. The chain only sees the commitment $\bar O = {t: O.t, s: H(O.s)}$.
The on-chain orderbook comprises of 1) a list of these comitments ${\bar O_i}_{i=0}^N$ and 2) the Ethereum public keys $pk$ of the commitment owners.
When describing the protocol, we often employ an auxiliary variable $b$ to describe a balance. It is a pair with the first element specifying an amount of the target project's token and the second element specifying an amount of the denomination token. A balance will always be used in conjunction with an order $O$, so target and denomination tokens are unambiguous.
Readers will have to excuse our blend of lax notation from mathematics and lax notation from computer science. The purist descriptions grew too verbose. Scaling factors are also redacted for brevity, but must be included during implementation to handle float operations.