SIP Specification
SIP Specification
Section titled “SIP Specification”Core protocol specification for the Shielded Intents Protocol.
Protocol Overview
Section titled “Protocol Overview”SIP provides privacy for cross-chain intents through:
- Pedersen Commitments - Hide transaction amounts
- Stealth Addresses - Unlinkable recipient addresses
- Viewing Keys - Selective disclosure for compliance
- ZK Proofs - Verify without revealing secrets
Intent Format
Section titled “Intent Format”Shielded Intent Structure
Section titled “Shielded Intent Structure”interface ShieldedIntent { // Identification intentId: string version: string privacyLevel: 'transparent' | 'shielded' | 'compliant'
// Timing createdAt: number expiry: number
// Output (public - needed for quoting) outputAsset: Asset minOutputAmount: bigint maxSlippage: number
// Hidden fields (commitments) inputCommitment: Commitment senderCommitment: Commitment
// Stealth addressing recipientStealth: StealthAddress ephemeralPublicKey: HexString
// Proofs fundingProof: ZKProof validityProof: ZKProof
// Compliance (optional) viewingKeyHash?: Hash encryptedMetadata?: Encrypted}Commitment Format
Section titled “Commitment Format”interface Commitment { value: HexString // 33-byte compressed point blindingFactor: HexString // 32-byte scalar}Stealth Address Format
Section titled “Stealth Address Format”interface StealthAddress { address: HexString // 33-byte compressed public key ephemeralPublicKey: HexString viewTag: number // 0-255}Cryptographic Primitives
Section titled “Cryptographic Primitives”Curve Parameters
Section titled “Curve Parameters”| Parameter | Value |
|---|---|
| Curve | secp256k1 |
| Generator G | Standard |
| Order n | 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 |
Hash Functions
Section titled “Hash Functions”| Purpose | Function |
|---|---|
| Shared secret | SHA-256 |
| Key derivation | HKDF-SHA256 |
| View tag | SHA-256[0] |
Encryption
Section titled “Encryption”| Component | Algorithm |
|---|---|
| Symmetric | XChaCha20-Poly1305 |
| Key derivation | HKDF |
| Nonce size | 24 bytes |
Commitment Scheme
Section titled “Commitment Scheme”NUMS Generator
Section titled “NUMS Generator”Independent generator H where log_G(H) is unknown:
GenerateH(): domain ← "SIP-PEDERSEN-GENERATOR-H-v1" for counter = 0 to 255: candidate ← SHA256(domain || counter) if IsValidCurvePoint(candidate): H ← LiftX(candidate) if H ≠ G and H ≠ O: return HCommit
Section titled “Commit”Commit(v, r): Input: value v ∈ [0, n), optional blinding r Output: commitment C, blinding r
1. If r not provided: r ← RandomBytes(32) mod n 2. If r = 0: r ← 1 3. C ← v·G + r·H 4. Return (C, r)Verify Opening
Section titled “Verify Opening”VerifyOpening(C, v, r): 1. r' ← r mod n 2. If r' = 0: r' ← 1 3. C' ← v·G + r'·H 4. Return C = C'Stealth Address Scheme
Section titled “Stealth Address Scheme”Generate Meta-Address
Section titled “Generate Meta-Address”GenerateMetaAddress(chain): 1. p ← RandomBytes(32) // Spending private 2. q ← RandomBytes(32) // Viewing private 3. P ← p·G 4. Q ← q·G 5. Return { metaAddress: (P, Q, chain), spendingKey: p, viewingKey: q }Derive Stealth Address
Section titled “Derive Stealth Address”DeriveStealthAddress(P, Q): 1. r ← RandomBytes(32) 2. R ← r·G 3. S ← ECDH(r, P) 4. s ← SHA256(S) 5. A ← Q + s·G 6. viewTag ← s[0] 7. Return { address: A, ephemeralKey: R, viewTag: viewTag }Recover Stealth Key
Section titled “Recover Stealth Key”RecoverStealthKey(A, R, p, q): 1. S' ← ECDH(p, R) 2. s' ← SHA256(S') 3. a ← q + s' mod n 4. Assert a·G = A 5. Return aMeta-Address Encoding
Section titled “Meta-Address Encoding”sip:<chain>:<spendingKey>:<viewingKey>
Example:sip:ethereum:0x02abc...def:0x03123...456
Where:- chain ∈ {ethereum, solana, near, zcash, polygon, ...}- spendingKey: 33-byte compressed public key (hex)- viewingKey: 33-byte compressed public key (hex)Proof Types
Section titled “Proof Types”Funding Proof
Section titled “Funding Proof”Proves: User has balance ≥ committed amount
Public inputs: - commitment_hash - minimum_amount
Private inputs: - actual_balance - blinding_factor
Constraints: - actual_balance >= minimum_amount - commitment = Pedersen(actual_balance, blinding_factor)Validity Proof
Section titled “Validity Proof”Proves: Intent is authorized by sender
Public inputs: - intent_hash - sender_commitment
Private inputs: - sender_address - signature - blinding_factor
Constraints: - signature valid for intent_hash - sender_commitment = Pedersen(hash(sender_address), blinding)Fulfillment Proof
Section titled “Fulfillment Proof”Proves: Solver correctly executed the swap
Public inputs: - intent_id - output_commitment - recipient_stealth
Private inputs: - output_amount - output_blinding - execution_proof
Constraints: - output_amount >= min_output_amount - output_commitment = Pedersen(output_amount, output_blinding) - funds sent to recipient_stealthSecurity Parameters
Section titled “Security Parameters”| Parameter | Value | Justification |
|---|---|---|
| Curve | secp256k1 | 128-bit security |
| Hash | SHA-256 | 128-bit collision resistance |
| Key size | 256 bits | Standard security level |
| View tag | 8 bits | 256x scanning speedup |
| Nonce | 192 bits | XChaCha20 standard |
Error Codes
Section titled “Error Codes”| Code | Description |
|---|---|
| SIP_2000 | Validation failed |
| SIP_2002 | Invalid chain |
| SIP_2003 | Invalid privacy level |
| SIP_2004 | Invalid amount |
| SIP_3000 | Crypto operation failed |
| SIP_4000 | Proof generation failed |
| SIP_5000 | Network error |
Version History
Section titled “Version History”| Version | Date | Changes |
|---|---|---|
| 1.0.0 | Nov 2025 | Initial specification |