Recently I went down a rabbit hole of researching if it was even possible to add Hush, DragonX and HACs to BasicSwap (BSX), a decentralized exchange (DEX) for doing atomic swaps between cryptocoins, with a focus on doing swaps between privacy coins. This became a fascinating journey of learning many things including the fact that if we can get Hush on BasicSwap then it's a "simple matter of programming" to get Zcash and other Zcash Protocol coins on BSX. That would be pretty awesome since BSX does not currently support Zcash family coins.
First we will start with some background about atomic swaps, BasicSwap, why it is superior to older atomic swap tech and the path forward to adding support.
For a real world metaphor of an atomic swap, think about exchanging some currency for another when arriving in a foreign country. You give some of your currency and you get some of theirs. In the "real world" you trust (i.e. hope) that when you give them your currency, they give the correct amount of their currency to you. This is usually the case when using the exchange counter at an airport, but if you have ever exchanged currencies at a border crossing from a shady dude with a calculator then you understand why you really want the "atomic" part, especially when transacting with strangers on the internet. Atomic swaps make sure that if one party doesn't fulfill their part, then the transaction fails and your funds are returned.
The idea of an atomic swap goes all the way back to a BitcoinTalk post from 2012 by Sergio Demian Lerner though you won't see the words "atomic" or "swap" anywhere there. But it describes a process of trading coins across blockchains that we now call "atomic swaps". Then in 2013 Tier Nolan described a process using a Hashed Time Lock Contract (HTLC) to accomplish an "atomic" transfer of funds from one blockchain to a different blockchain. Most atomic swaps to this day use this same method to swap coins between chains. That is all well and good, but HTLCs have various downsides if you try to use them with sufficiently "different" blockchains as well as with privacy coins.
The idea of atomic swaps comes from the early days of Bitcoin and so it is no surprise that it assumes all data is public, there is no private blockchain data. Everyone in the world can see everything about every transaction. That fact actually makes atomic swaps on Bitcoin and other related transparent chains "easy". It is a simple matter of using HTLCs correctly on both chains and then Bob's your uncle. But how can atomic swaps even be possible on privacy coin chains, where some or maybe even no data about the transaction is public? It doesn't even seem possible but amazingly, it is. The key is to avoid HTLCs entirely by using some pretty cool math. This math goes by a few different names but we will call them "Adaptor Signatures" here. They are also called "Signature Adaptors", "Scriptless Scripts" or "Verifiably Encrypted Signatures" (VESs). Call them whatever you want, they are digital magic that allows funds to be traded across blockchains with very little metadata leakage. Wait, how is that even possible?
Firstly, HTLCs leak a fuckton of metadata. This is no surprise, they come from a world of everything being public. They leak the fact that a swap is happening (swap transactions look different than normal transactions), they leak the exchange rate of the swap and they leak data about the success or failure of the swap to complete. On public blockchains, you could say these are not bugs/leaks, they are features, which allow both parties to verify things are happening as they should. But on privacy coin blockchains, these are problems. We don't want anybody to know that a swap is happening, we don't want anybody outside of the swap to know the exchange rate and don't want the rest of the world to know if it succeeded or failed. Another fact unrelated to privacy but quite important is that HTLCs take up extra space compared to a normal transaction. They bloat the blockchain with executable code called Bitcoin Script, which is why Adaptor Signatures are also called Scriptless Scripts. They accomplish the same thing as Script but without the Script. Seems impossible, right?
Adaptor Signatures solve all the above problems, and more. For instance, HTLCs work great when you want to swap two coins derived from Bitcoin, because they both will speak (roughly) the same Script language. But what happens when you want to swap Bitcoin and Monero? Monero has no HTLCs and no Script. Monero and Bitcoin transactions don't speak the same language. That makes sense, Monero and Bitcoin are quite different and don't even use the same elliptic curves. So when the paper Bitcoin-Monero Cross-chain Atomic Swap came out and described how to do a BTC/XMR swap it paved the way for a new era of atomic swaps. This paper is the core idea behind the magic of BasicSwap and how it can swap Bitcoin-derived coins with Monero-derived coins.
We could go deep into the weeds now and bust out math equations and definitions of esoteric terminology but I won't go there. Instead I will describe what I personally find to be the most fascinating part of how they work without resorting to LaTeX and cryptographic primitives. Let's say that Alice and Bob are swapping coins with each other. The way the adaptor signature swap protocol works relies on Alice and Bob each creating half of a private key for an address on each chain and then working together to send funds to addresses which are the sum of those private keys. Alice and Bob don't send their half of the privkey to each other, they verifiably encrypt it, such that when the protocol completes, Alice and Bob each learn the other half and can claim the funds. This is simply amazing.
Adaptor Signatures are magical because they get rid of bulky Scripts and implement that logic into the structure of private keys and addresses. This is why an adaptor signature swap looks just like a normal blockchain transaction. An outside observer can't even tell if a transaction is a swap or not, much less the exchange rate or if it was successful. It obliterates any metadata leakage that blockchain analysis could use to study the swaps. So while HTLC swaps gives blockchain analysts a field day of metadata to study, adaptor signatures give them nothing at all. Chef's kiss. This is why I decided that Hush should completely ignore HTLC swaps and instead focus on adaptor signature swaps. When I realized that BSX was already using these to power swaps between Monero and (currently) about a dozen other blockchains, I knew that we wanted to add Hush support to BSX.
BSX is written in Python and uses C++ to do low-level elliptic curve operations. How do we get that code to talk to Rust? Is there a way to avoid involving Rust? The only way to avoid it is to write a probably buggy implementation of an elliptic curve in Python or C++. Neither seemed like a good idea, so I decided to figure out how to jam some rust into a Python/C++ project, come hell or high water.
After way too much research I discovered there was actually a way to do what we needed. We can make Rust code accessible from Python and then BSX Python code can use that to do what it needs. In particular, BSX needs to be able to create public keys for Jubjub and be able to add them together to derive another public key. This code is called pyjubjub and is still very experimental, but it proves it is possible to add support for any coin using any elliptic curve to BSX. An example of using the Jubjub elliptic curve to create a valid Sapling zaddr in Python is here. And with that I forked BSX to begin adding Hush support which uses the pyjubjub code. There is still a lot more work to be done. With the existence of pyjubjub it has gone from the realm of "Is this even possible?" to "The finish line is over there, beyond that mountain. Let's start running."
Adding Hush to BSX via adding support for the Jubjub elliptic curve will benefit many various other communities. Firstly it opens up BSX to supporting every cryptocoin that uses Sapling zaddrs. Historically I know of close to two dozen blockchains that used Sapling zaddrs at some point, but many have receded into the great beyond. Currently active chains that could benefit are, in addition to Hush, are Zcash, DragonX, Pirate and Ycash. Since Zcash and Ycash have optional privacy and still support transparent addresses, they could in theory be added to BSX but without any privacy. That is pretty lame which seems to be why nobody has added Zcash/Ycash support to BSX using taddrs. For Pirate and DragonX, which are "z2z" (everyone must use privacy features for every transaction, like Monero) adding Jubjub makes it possible to make decentralized private swaps, which otherwise would not be possible.
If you are dev interested in adding Jubjub elliptic curve support to BSX or a user that is willing to do testing, we want to talk to you! Join Hush Matrix / Telegram or DragonX Matrix / Telegram and somebody will send you in the right direction.
-- Duke
June 4, 2025