{"id":20109991,"url":"https://github.com/distributed-lab/taprootized-atomic-swaps","last_synced_at":"2025-07-02T08:10:10.864Z","repository":{"id":219266873,"uuid":"745442272","full_name":"distributed-lab/taprootized-atomic-swaps","owner":"distributed-lab","description":"Taprootized Atomic Swaps (TAS) is an extension for Atomic Swaps that presumes the untraceability of transactions related to a particular swap.","archived":false,"fork":false,"pushed_at":"2025-03-13T20:41:38.000Z","size":5418,"stargazers_count":63,"open_issues_count":0,"forks_count":10,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-06T10:39:53.428Z","etag":null,"topics":["atomic-swap","bitcoin","ethereum","taproot","zero-knowledge"],"latest_commit_sha":null,"homepage":"https://arxiv.org/pdf/2402.16735","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/distributed-lab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-19T10:46:05.000Z","updated_at":"2025-03-13T20:31:09.000Z","dependencies_parsed_at":"2024-02-25T14:39:08.297Z","dependency_job_id":"deb80d32-b8a7-4128-99d2-65cb9e5d539f","html_url":"https://github.com/distributed-lab/taprootized-atomic-swaps","commit_stats":null,"previous_names":["distributed-lab/taprootized-atomic-swaps"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/distributed-lab/taprootized-atomic-swaps","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Ftaprootized-atomic-swaps","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Ftaprootized-atomic-swaps/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Ftaprootized-atomic-swaps/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Ftaprootized-atomic-swaps/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/distributed-lab","download_url":"https://codeload.github.com/distributed-lab/taprootized-atomic-swaps/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/distributed-lab%2Ftaprootized-atomic-swaps/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263099718,"owners_count":23413625,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["atomic-swap","bitcoin","ethereum","taproot","zero-knowledge"],"created_at":"2024-11-13T18:10:02.684Z","updated_at":"2025-07-02T08:10:10.835Z","avatar_url":"https://github.com/distributed-lab.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# \u003cp style=\"text-align: center;\"\u003e Taprootized Atomic Swaps \u003c/p\u003e\n\nTaprootized Atomic Swaps (TAS) is an extension for Atomic Swaps that presumes the untraceability of \ntransactions related to a particular swap. Based on Schnorr signatures, Taproot technology, and\nzero-knowledge proofs, the taprootized atomic swaps hide swap transactions under regular payments.\n\n## Intro\nAtomic swap is an incredible approach to cross-chain exchanges without mediators. However, one of \nthe disadvantages of its implementation in the classical form is the “digital trail” — any party \ncan make a matching between transactions in the blockchains in which the exchange took place and\nfind out both the participants in the exchange and the proportion in which assets were exchanged.\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"assets/atomic-swap.png\"/\u003e\n\u003c/div\u003e\n\nOn the other hand, atomic swaps is a technology that initially assumed the involvement of only two \nparties and a “mathematical contract” between them directly. That is, an ideal exchange presupposes \n2 conditions:\n1) Only counterparties participate in the exchange (works by default)\n2) Only counterparties know about the fact of the exchange (it would be nice to ensure)\n\nThis paper will provide a concept of taprootized atomic swaps that allow hiding the swap's very fact. To an\nexternal auditor, transactions to initiate and execute atomic swaps will be indistinguishable from regular Bitcoin\npayments. In the other accounting system involved in the transfer, more information is disclosed (the fact of\nexchange can be traced). Still, it is impossible to link this to the corresponding Bitcoin transactions (without\nadditional context from the involved parties).\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg src=\"assets/sequence-diagram.png\"/\u003e\n\u003c/div\u003e\n\n### The protocol includes the following steps:\n1. Alice (`skA`, `PKA`) and Bob (`skB`, `PKB`) have their keypairs and know each other's public keys.\n2. Alice generates a random `k` and calculates the public value `K = k * G`\n3. Alice forms the alternative spending path `Script = sig(skA) + Locktime` in the form of Bitcoin Script \n4. Alice calculates an escrow public key as `PKEsc = K + PKB + hash((K + PKB) || Script) * G` (here,\n   escrow is just a public key, formed using Taproot technology\n   1. The signature `sig(skEsc)`, verified by thr `PKEsc`, can be generated only with the knowledge of `k`, `skB` and `Script`\n5. Alice calculates the `h` as a hash value of `k` (zk-friendly hash function is recommended to use)\n6. Alice forms the funding transactions with the following conditions of how it can be spent:\n   1. Signature of `skEsc`: Bob, with knowledge of `k` and `skB` can spend the output\n   2. Signature of `skA` + Locktime: Alice, with knowledge of `skA` can spend the output, but only after some point in time `t1` (it's the `Script` itself)\n7. Alice sends the transaction to the Bitcoin network\n8. Alice generates the zero-knowledge `proof` that includes:\n   1. The proof of knowledge of `k` that satisfies `k * G == K`\n   2. The proof of knowledge of `k` that satisfies `zkHash(k) == h`\n9. Alice provides the set of data to Bob:\n   1. `h`\n   2. `K`\n   3. `Script`\n   4. `proof`\n10. Bob calculates `PKEsc` as `K + PKB + hash((K + PKB) || Script) * G` and finds the transaction locked BTC (verifies it exists). Then Bob performs the following verification:\n    1. Verifies that Alice knows `k` that satisfies `k*G == K` and `zkHash(k) == h`, it means that Bob can access the output `PKEsc` if he receives `k`\n    2. Verifies that the `Script` is correct and includes only the required alternative path.\n11. If verifications are passed, Bob forms the transaction that locks his funds on the following conditions:\n    1. Publishing of `k` and the signature of `skA`: only Alice can spend it if she reveals `k` (hash preimage)\n    2. Signature of `skB` + Locktime: Bob, with knowledge of `skB`, can spend the output, but only after some point in time `t2`\n12. Bob sends the transaction to the Ethereum network (or any other that supports `zkHash()`)\n13. Alice sees the locking conditions defined by Bob and publishes the `k` together with the signature generated by her `skA`. As a result - Alice spent funds locked by Bob.\n    1. If Alice doesn’t publish the relevant `k`, Bob can return funds after locktime is reached\n14. If Alice publishes a transaction with `k`, Bob can recognize it and extract the `k` value\n15. Bob calculate the needed `skEsc` as `skEsc = k + skB + hash((K + PKB) || Script)`\n16. Bob sends the transaction with the signature generated by the `skEsc` and spends funds locked by Alice.\n---\n## The first taprootized atomic swap between Bitcoin and Ethereum mainnets\n\nTransactions:\n1. Alice locks BTC: 850e9258bf8b3bb280d32a647198d8024aece543dc283f7bfa526f4c0ceb1ab8\n2. Bob locks ETH: 723919c0e8ec57d38792ec29b2cb82ee885b9fbbc886b34ff40fb5d3f7cc9b43\n3. Alice withdraws ETH from the contract: 47546191a7c99ec4a7ddc243d6ea75d345ab3aff0762e09dd2f537731bd484f3\n4. Bob spends BTC: 859dbfaa901d7106aecc8cb29966ede0c9d7a17c2cae31f4d420c1d770e9706d\n---\n\n## A bit about the repository\nThis repository provides all components for executing an atomic swap, including a script for an \nEthereum-Bitcoin exchange between Alice and Bob.\n\n- `circuits`: Contains [`Circom`](https://docs.circom.io/) circuits for Zero-Knowledge proof \n  creation in step eight of the outlined flow. These circuits verify the knowledge of a private \n  256-bit scalar `k`, where `K = k * G` and `h = Poseidon(k)`, with `K` and `h` being public, \n  `Poseidon` being the hash function, and `G` representing the Secp256k1 base point.\n- `contracts`: Contains the `Depositor` contract in Solidity designed for depositing\n  native currency using a 256-bit number `h` and `locktime`, locking funds with two withdrawal \n  conditions:\n  - Spender knows some `k` that `h = Poseidon(k)`- money goes to the message sender\n  - `locktime` has passed - money goes to the deposit maker\n- `crates`: Contains Rust crates for ZkSnark witness, proof generation, and validation. Proof \n  generation currently takes about 13 seconds on an M1 Pro chip, with witness calculation \n  accounting for 10 seconds. Utilizing `c++` bindings instead of the existing `wasm` witness\n  calculator can notably reduce this time.\n- `src`: Contains the Rust script for facilitating an atomic swap between Alice and Bob. It \n  encompasses all steps outlined in the documentation, including proof generation, taproot \n  transaction creation, and executing transactions on both Bitcoin and Ethereum networks.\n- `scripts`: Contains auxiliary scripts for Circom and SnarkJS.\n\n## How to try it out?\nYou can use either testnets for Ethereum and Bitcoin networks or run the local test networks by \nusing such utilities as [`ganache`](https://trufflesuite.com/ganache/) for Ethereum and \n[`nigiri`](https://nigiri.vulpem.com/) for Bitcoin.\n\nYou can use this deployed, verified and ready for use contracts:\n- Ethereum mainnet: [`0x936f971455bc674F77312f451963681fe964E838`](https://etherscan.io/address/0x936f971455bc674f77312f451963681fe964e838)\n- Sepolia testnet: [`0x85BEaB7f80B375175BeCC3f68Bf86d33099fD576`](https://sepolia.etherscan.io/address/0x85BEaB7f80B375175BeCC3f68Bf86d33099fD576)\n\nYou can use trusted setup files (`.ptau`, at least 17th power) from [`SnarkJs`] repository, you\ncan find it in the readme section, for ZK proof generation.\n\n#### Steps: \n0. Install [`Cargo`](https://doc.rust-lang.org/book/ch01-01-installation.html#installation), \n   [`Circom`](https://docs.circom.io/getting-started/installation/), \n   [`SnarkJS`](https://docs.circom.io/getting-started/installation/#installing-circom)\n1. Setup `config.toml`. Check the config.example.toml for example, it has detailed description.\n2. Compile \u0026 run the script with a provided config path (because of the outdated packages, it can't be compiled in release mode as well as using `cargo install`):\n   ```bash\n   cargo run config.toml\n   ```\n   \n### Build for Linux\nBefore compiling make sure, that you have the OpenMP installed on your device. It is required \ndependency to build the `rapidsnark-sys` crate.\n```bash\nsudo apt update sudo apt upgrade\nsudo apt install libomp-dev\n```\n\n### Acknowledgments\nWe use a [circom ecdsa](https://github.com/0xPARC/circom-ecdsa) implementation from 0xPARC.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdistributed-lab%2Ftaprootized-atomic-swaps","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdistributed-lab%2Ftaprootized-atomic-swaps","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdistributed-lab%2Ftaprootized-atomic-swaps/lists"}