Rose

Cross-chain swaps shouldn’t leak your entire trade graph. Today’s standard (HTLCs) makes swaps trivially linkable across chains via shared hash. We’re introducing Zwap - a new atomic swap construction compatable across programmable and UTXO chains that removes that assumption entirely. Instead of hash correlation, we use: • ECDH-based key aggregation → Shared signing key = s · b • Zero-knowledge binding proof → Ties secret to both locks (off-chain) • Trustless execution → Fixed recipients, zero MEV surface What this unlocks: → No shared on-chain identifier across chains → Cryptographic unlinkability → Compatible with Bitcoin, Litecoin, Zcash (no protocol changes) HTLC swaps are easy to trace. Zwap removes that linkage at the protocol level. This moves us closer to eliminating cross-chain linkage at the protocol level. Explore it here: https://t.co/pe3wO9eksY

yeah, the constraint format is standard R1CS, but the witness includes FS challenges; we call this GR1CS internally. The key requirement is the ability to sample challenges between witness commitments, which works naturally with any multi-round proving protocol. and thanks for the paper, looks interesting, will check it out 👀

yeah, the key dependency is the ability to sample FS challenges during the proof, which assumes a multi-round protocol. In our setup (WHIR PCS), that falls out naturally since the protocol already alternates between commitments and challenges. Vanilla Groth16 is single-pass with a fixed witness, so there’s no place to inject that randomness.

Great points on Poseidon, we actually use Poseidon2 wherever we control the primitive (Merkle trees, attestation, nullifiers). But the core use case here is passport verification, where we don’t get that choice. Since everything is signed with RSA-SHA256 (X.509), we have to recompute the exact same hashes. That’s exactly why making SHA-256 cheaper in R1CS matters for us, it’s not optional, it’s a hard constraint.