Abstract & Notation
Abstract
ZSwitch is a privacy-preserving execution layer that bridges Zcash's shielded pools with Solana's high-throughput execution environment. This specification describes the cryptographic protocols, account structures, and cross-chain mechanisms that enable private DeFi operations while maintaining the security properties established by the Zcash protocol (ZIP-224, ZIP-225, ZIP-244).
The protocol achieves sender privacy, receiver privacy, and value privacy for cross-chain operations by leveraging Zcash's shielded transaction model as the source of truth, while using Solana only as an execution substrate that processes encrypted intents.
Notation Conventions
mathematical_notation.tex
NOTATION CONVENTIONS
══════════════════════════════════════════════════════════════════════════════
GROUPS AND FIELDS
─────────────────────────────────────────────────────────────────────────────
𝔽_p Finite field of order p (BLS12-381: p ≈ 2^381)
𝔽_q Scalar field (BLS12-381: q ≈ 2^255)
𝔾_1 Elliptic curve group (BLS12-381 G1)
𝔾_2 Extension field curve group (BLS12-381 G2)
𝔾_T Target group of pairing e: 𝔾_1 × 𝔾_2 → 𝔾_T
ℙ Pallas curve group (Orchard)
𝕍 Vesta curve group (Orchard recursion)
OPERATORS
─────────────────────────────────────────────────────────────────────────────
[s]·P Scalar multiplication: point P multiplied by scalar s
P + Q Point addition on elliptic curve
e(P, Q) Bilinear pairing operation
H(x) Cryptographic hash function (context-dependent)
PRF_k(x) Pseudorandom function with key k on input x
KDF(x) Key derivation function
Enc_k(m) Symmetric encryption of m under key k
‖ Concatenation operator
TYPE ANNOTATIONS
─────────────────────────────────────────────────────────────────────────────
[n] Byte array of length n
{0,1}^n Bit string of length n
ℤ_r Integers modulo r (scalar field)
repr_ℙ(P) Canonical byte representation of point P ∈ ℙ (32 bytes)
Extract(P) Extract x-coordinate from point P
DOMAIN SEPARATORS
─────────────────────────────────────────────────────────────────────────────
DST Domain separation tag for hash functions
"z.cash:*" Zcash protocol domain separators
"zswitch:*" ZSwitch-specific domain separatorsSecurity Parameters
| Parameter | Value | Security Level | Reference |
|---|---|---|---|
| λ (computational) | 128 bits | 2^128 operations | NIST Level I |
| κ (statistical) | 128 bits | 2^-128 advantage | ZIP-216 |
| Curve (Sapling) | BLS12-381 | ~126 bits | RFC 9380 |
| Curve (Orchard) | Pallas/Vesta | ~126 bits | Pasta Curves |
| Hash (Poseidon) | t=3, α=5 | 128-bit collision | ZIP-212 |
| PRF (Blake2b) | 512-bit output | 256-bit security | RFC 7693 |