At its core, Renegade’s system is built around **wallets ****(detailed below) and their state transitions. Wallets hold balances, orders, keys, etc and represent decentralized, user-owned bookkeeping structures.
To support efficient private updates and matches, as well as wallet recovery from contract state; we construct secret shares of the wallet, and post the public shares on-chain. State transitions are proven with respect to these shares, and hash-based commitments to the shares are inserted into a global Merkle tree. A commit-nullify scheme on these shares ensures that state updates form a chain — without “double spends”.
To minimize the number of secrets users have to custody, secret shares are generated via a CSPRNG seeded with a private value. This CSPRNG generates private secret shares for a wallet, from which the public secret shares are additively derived. To prevent known plaintext attacks, we blind all secret shares in a wallet with a blinder sampled from a separate CSPRNG.
For example, if a wallet (flattened) consists of elements $\{w_1, \ldots, w_n\}$ we construct private secret shares $s_1, \ldots s_n \leftarrow \text{CSPRNG}(\text{share\_seed})$. We would then sample a blinder and blinder private share from a separate CSPRNG as: $\text{blinder}, \text{blinder\_private} \leftarrow \text{CSPRNG}(\text{blinder\_seed})$.
The public blinder share is then $\text{blinder} - \text{blinder\_private}$.
For wallet element $i$, the public share that we post on chain is blinded as: $p_i \vcentcolon= w_i - s_i + \text{blinder}$. The blinder public share, and the public shares of the wallet, are posted on-chain with every transaction.
The state transitions and NP statements below are all about modifying, resampling, committing to, and nullifying these shares to express application level state updates.
When we refer to a Scalar we implicitly mean an element of the bn254 scalar ($\mathbb{F}_r$) field.
In our system, we size our circuits using the following parameters: [codelink]
MAX_BALANCES: 5MAX_ORDERS: 5MERKLE_HEIGHT: 32AMOUNT_BITS: 128PRICE_BITS: 96