pRepublic Protocol A decentralized dark pool exchange providing atomic swaps for Ethereum-based assets and Bitcoin. December 18, 2017 Taiyang Zhang, Loong Wang Abstract The market capitalization and trading volume of cryptocurrencies is growing rapidly every month. With institutional investors arriving into the cryptocurrency market, the development of alternative trading systems is critical for trading large blocks of cryptographic assets while maintaining minimal price slippage and market impact. We introduce Republic, a decentralized open-source dark pool protocol facilitating atomic swaps between cryptocurrency pairs across the Bitcoin and Ethereum blockchains. Trades are placed on a hidden order book and are matched through an engine built on a multi-party computation protocol. This provides order cution without exposing market sensitive ination such as price and volume at a certain position, which would provide an advantage to other traders. Republic removes the need for a trusted intermediary to operate a dark pool and provides crypto-economic incentives through a protocol token for governance; enabling the development of a secure, decentralized, scalable dark pool protocol capable of handling billions in trading volume daily. Introduction 3 Decentralized block order infrastructure 3 Atomic swap 3 Trustless, fair access to dark pools 4 Problems with centralized dark pools 4 How the Republic Protocol works 6 System properties 6 Assumptions 6 Security model 6 Order Matching 8 Incentive layer 9 Fees 9 Bonds 9 Attacks and Defenses 10 Order Reconstruction 10 False Orders 11 Sybil Attacks 11 Protocol token 12 Roadmap 12 References 13 Miscellaneous 14 1Introduction The advent of blockchain technologies has enabled the development of an entirely new class of assets backed by cryptographic verification. Bitcoin BTC and Ethereum ETH are two blockchain-based cryptocurrencies which, as of nbsp;eclipse the aggregate market capitalization of all other cryptocurrencies. In November 2017, the volumes for BTC and ETH trades exceeded USD 181B nbsp;not including over-the-counter and trades cuted on private forums. This statistic, coupled with the announcements of Bitcoin futures markets from CME Group and NASDAQ, signals interest from institutional investors looking to gain exposure to digital cryptographic assets. With institutions and HNWIs looking to deploy vast amounts of wealth into cryptocurrencies, we must develop the underlying infrastructure to support such volumes. At a fundamental level, dark pools are private exchanges where financial assets and instruments are traded and matched by an engine running on a hidden order book. These exchanges are primarily created to serve institutional or HNW retail investors who require a system where significant volumes of assets can be block traded with minimal price slippage. Dark pools are estimated to represent approximately 15 of all trading volume of all US stock trades [6]. Extrapolating this statistic for BTC and ETH volumes, a dark pool for such has the potential to cute USD 27.2B of orders monthly. We introduce the Republic Protocol which facilitates the exchange of Ethereum, ERC20 and Bitcoin cryptocurrencies through a decentralized dark pool. This is enabled through research within subfields of cryptography such as secure multi-party computation, which allow us to develop a matching engine to run on the distributed hidden order book. We facilitate cross-chain trades through atomic swaps and implement proper economic incentives to ensure these trades are cuted thoroughly. Compared to a centralized dark pool or exchange, the Republic Protocol removes the risk of asset theft, confiscation or possibility of interference from a malicious exchange operator. This leads to greater trust between institutional investors placing block orders and dark pool exchanges leveraging the Republic protocol. Additionally, the Republic Protocol is available universally and is highly transparent with regards to how the underlying protocol operates. Elementary Components ●Decentralized hidden order book ○A decentralized, hidden order book. ●Decentralized order matching nbsp;○Matching orders without knowing the underlying details ●Atomic swap infrastructure ○The ability to swap between Bitcoin, Ethereum and Ethereum-based tokens without trust. ●Protocol token ○The REN token Motivation ●Infrastructure for block orders ●Cross-chain trades ●Trustless, equitable access to dark pools ●Centralization risk 2Republic Protocol How the Republic Protocol works The primary technical goal of the Republic Protocol is to enable a decentralized network of nodes to match orders, without knowing anything about the orders. While it might seem like this is impossible, it can be achieved by applying cryptographic techniques that have been thoroughly researched over that last 30 years; modifying them to be suitable for the world of decentralized computation. The Republic Protocol uses the Shamir Secret Sharing Scheme [1] to break down orders into a large number of order fragments, and distributes them throughout the network. Orders cannot be reconstructed unless a majority of the order fragments are recombined. To prevent this from happening, the Republic Protocol defines an Ethereum smart contract called the Registrar that organizes nodes into a network topology that makes it unreasonably difficult for an adversary to acquire the enough of the order fragments to reconstruct an order. As long as traders respect the network topology defined by the Registrar, their orders will be safe. If they fail to do so, only their own orders are at risk of exposure. Using order fragments from two different orders, a node can cooperate with other nodes that hold other order fragments for the same two orders to per a decentralized computation that will determine if the two orders match. The decentralized computation does not expose the order fragments, and pers a random scaling of the final output [2][3]. This prevents nodes from reconstructing the original orders, and prevents them from using the output to infer anything about the orders. A Zero knowledge proof is used to verify the integrity of the computation, without revealing any ination. These proofs are simple and efficient, allowing them to be pered by an Ethereum smart contract called the Judge [3]. After two orders have been matched, an atomic swap is initiated between the two traders over the Republic Swarm Network, a decentralized peer-to-peer network. Using standard asymmetric encryption primitives, the details of the atomic swap are kept secure. System Properties The Republic Protocol provides the following properties 1. The identity of the traders is secure within the Republic Dark Pool. The underlying cryptocurrency that is being traded may provide different limitations for privacy. 2. Traders do not have to remain connected to the network while their orders are being matched. Once an order is placed, nodes will run the matching computation until a match is found, or the order is expired either manually, or by passing a deadline designated by the trader. nbsp;3. An order is secure until it is matched. After being matched, some details of the order are revealed to the matching parties. This is the natural limit of security for an order, since both parties know what they ted, and both parties need to know when a match has occurred. Note that ination disclosed in these cases does not provide any inational advantage to either party. 4. The total liquidity of the Republic Dark Pool cannot be reasonably estimated by any participant. 3Assumptions The Republic Protocol is built on the following assumptions I. There exists a trusted third-party that will always per computations honestly, but has limited computational power i.e. Ethereum. II. Participants act rationally and will not participate if there is no financial incentive to do so, and will attempt to maximize their own profit. In this way, we do not assume that a participant will act honestly if they can maximize their profit by acting maliciously. Adversarial Assumptions The Republic Protocol makes the following adversarial assumptions I. Adversaries cannot corrupt the trusted third-party defined previously by Assumption II. Concretely, an adversary cannot subvert the correctness of computations done by the Ethereum network. All plats built on Ethereum need to make this adversarial assumption. II. Adversaries have limited financial, and computational, powers. Limited financial powers are a reasonable assumption to make in the real world, and computational powers are naturally limited by financial powers. III.Computationally hard problems used to construct cryptographic primitives are sufficiently secure. This assumption is made by all blockchains that utilize any of cryptography, including Bitcoin and Ethereum. Security Model Defining a security model allows us to analyze the security guarantees provided by the Republic Protocol. The Republic Protocol makes use of the nbsp;real vs. ideal paradigm; analyzing the security of a real world decentralized protocol with respect to some non-existent ideal world in which there is a trusted, and incorruptible, third-party that can be used to handle all sensitive ination and per all sensitive computations this is not the same as Ethereum, since all transactions and data on Ethereum is publicly available. The security of the Republic Protocol can be demonstrated by showing that any possible attack in the real world is also possible in the ideal world. Since the ideal world is trivial to define, the real protocol is secure by implication. This approach to security analysis is typical for decentralized computation protocols in which there are active and passive adversaries. The ideal Republic Protocol contains a trusted, and incorruptible, third-party T. Traders their orders to T, and T guarantees to never reveal the details of these orders. T constantly attempts to match orders that have been ted, and when a match is found T ins the respective traders. The traders each their cryptocurrencies to T, and if they both do so, T swaps the cryptocurrencies and gives them back to the traders. This completes the trade. The real Republic Protocol is considered secure if, and only if, all attacks on the real protocol are also possible on the ideal protocol. From the definition of the ideal Republic Protocol it is clear that such an equivalence is sufficient. 4The Republic Protocol is able to guarantee that, unless the majority of nodes in the network are active adversaries, it is as secure as the ideal world protocol. If 50 of nodes are active adversaries, and they are enjoying the attackers best-case scenario, they are able to reconstruct all orders. However, the Republic Protocol ensures that such a best-case scenario is impossible to achieve in the real world. In the typical case, 50 of nodes becoming active adversaries would only allow the adversaries to reconstruct 50 of the orders. A more detailed explanation is given in “Attacks and Defenses”. 5Decentralized Order Matching Order matching is the process through which nodes match orders against each other without being able to observe the details of the order. To achieve this, traders first breakup their order into a set of order fragments. Note that these fragments do not individually represent a fraction of the order’s value, they simply represent the separation of sensitive data regarding the underlying order. On its own an order fragment reveals nothing about the underlying order, but when at least half of the order fragments for an order are combined, the order can be reconstructed see “Attacks and Defenses” for details about protecting against this. Each node pers an order matching computation on order fragments from multiple different orders and combines the results with the results from nodes who are using different fragments. The fragments are constructed in such a way that, after the computations are applied, the resulting fragments can be combined to reveal, not the underlying orders, but the result of the order matching computations for the underlying orders. This has several nice properties. For one, only half of the order fragments are needed to reconstruct an order. Nodes are incentivized to avoid collusion and adversaries have a difficult time subverting this system, see “Attacks and Defenses”. This means that if half of the nodes accidentally die, or leave the network halfway through an order matching computation, the network can still finish the computation. This makes it highly resilient to DDoS attacks, and expected failures. Order fragments are constructed in such a way that the order matching computations can use any function, applied over a polynomial, and can be involve two or more underlying orders. This allows for very flexible order matching computations. Nodes can match orders based on exact price points, partially match orders when only some of an order can be matched due to the currently available liquidity, match triplets or more of orders to increase liquidity e.g. the triplet BTC-to-ETH and ETH-to-REN and REN-to-BTC, where no match can be found with only pairs. Assuming the existence of a decentralized, consensus-based, data stream for National Best Bid and Offer NBBO data, the order matching computations can even involve orders without an explicit price point. Winning and Losing Nodes race to discover order matches. Any match that is found must be registered so that other nodes can see which orders have been closed. The associated traders are notified, and none of the matched orders can be involved in future matches. This is done on the Ethereum network, under Assumption 1. If two orders do not match, they continue to be used in future matching games. If an order cannot be matched before it expires, the associated fee is refunded. The nodes that combine their outputs to register a match are rewarded a fee, to incentivize their honest participation in the order matching game see “Incentive Layer”. This also incentivizes them to match as many orders as quickly as possible, since this correlates to a higher reward over time. The Republic Protocol also includes an Atomic Swapping protocol that is initiated between traders that have had their orders matched. Nodes facilitate passing messages and where possible, setting up a direct P2P connection between traders that cutes the order. Note that traders cannot be bound to cute on the orders, due to the limited way in which blockchains can communicate see “Attacks and Defenses” for ination about placing false orders. However, using trader bonds, traders can be heavily incentivized to faithfully cute orders. nbsp;At no point during order matching, or even after orders have matched, are Republic Protocol nodes capable of revealing the detai/p