Papers
Topics
Authors
Recent
Search
2000 character limit reached

Privacy-Preserving Automated Market Maker

Updated 9 July 2026
  • Privacy-preserving AMMs are decentralized exchange mechanisms that obscure sensitive trade details through cryptographic proofs, noise injection, and secure multiparty computation.
  • They mitigate vulnerabilities of conventional AMMs by preventing frontrunning, sandwich attacks, and MEV extraction through concealed order flow and reserve dynamics.
  • Implementations like EnerSwap illustrate practical trade-offs with latency, gas costs, and auditability while achieving robust privacy and effective price discovery.

Privacy-preserving automated market makers are AMM-based exchange mechanisms that preserve automated, rule-based liquidity provision while attempting to conceal information that conventional on-chain AMMs expose by default: pending order flow, balances, trade sizes, reserve deltas, or the market maker’s effective observation of flow. In the cited literature, the term spans two technically distinct lines of work. One line treats privacy as a cryptographic or confidential-computation problem, using commitments, zero-knowledge proofs, secure multiparty computation, and related infrastructure to hide transaction contents and intermediate arithmetic during execution (Bendada et al., 26 Aug 2025, Xu et al., 2021). The other line treats privacy as an information-structure perturbation in market microstructure, modeling a committed Bayesian AMM that prices from noisy order-flow observations and thereby transfers expected value from the LP pool to traders; this transfer is termed the “privacy subsidy” (Nakamura, 15 May 2026, Nakamura, 25 May 2026). Both lines are motivated by the same baseline observation: ordinary AMMs are structurally transparent, mechanically deterministic, and therefore exposed to transaction inspection, frontrunning, sandwich attacks, and broader MEV extraction (Xu et al., 2021, Bartoletti et al., 2021).

1. Transparency of conventional AMMs and the privacy problem

The SoK on AMM-based DEXs models an AMM as a blockchain state-transition system, with protocol execution written as χfaχ\chi \xrightarrow[f]{a} \chi' and a pool state represented as χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega). Within that framework, the conservation function governs allowable state evolution under swaps and liquidity changes. The same paper emphasizes that AMMs are structurally transparent and mechanically deterministic: state is public, reserve updates are public, and, because swaps follow deterministic bonding curves, observers can often reverse-engineer trade details from state changes (Xu et al., 2021).

This transparency creates both privacy leakage and an attack surface. The SoK states that AMM mechanics can leak enough information from pool state changes to infer approximate transaction size, traded assets, block-level trading activity, and other protocol-level behaviors. It also identifies transaction inspection as the root of frontrunning, backrunning, sandwich attacks, transaction sequence manipulation, and block timestamp manipulation. Even when blockchains are only pseudonymous, repeated activity and external data can support identity tracing and behavioral inference (Xu et al., 2021).

The MEV literature sharpens this point by showing that observability and ordering control suffice for systematic extraction. In a constant-product AMM, an adversary that can reorder, insert, or drop transactions can attack not only swaps but also deposits and redeems. The attack surface is generalized by the “Dagwood sandwich,” a layered sequence of adversarial actions around user transactions. The paper’s examples report about USD 5,000 for a classic swap sandwich and about USD 5,700 when deposit exploitation is added, illustrating that privacy loss is not confined to swap intent alone (Bartoletti et al., 2021).

A recurring implication is that privacy-preserving AMM design is not only about hiding user identities. It is equally about preventing early inference of trade direction, size, deposit ratio, mint/redeem timing, and the relationship between user actions and reserve state. The cited papers treat these informational channels as economically load-bearing because they determine whether adversaries can compute exploitable state transitions before execution (Bartoletti et al., 2021, Xu et al., 2021).

2. Cryptographic and confidential-computation architectures

A direct implementation of a privacy-preserving AMM appears in "EnerSwap: Large-Scale, Privacy-First Automated Market Maker for V2G Energy Trading" (Bendada et al., 26 Aug 2025). EnerSwap retains the classic constant-product invariant

ELPMLP=CE_{LP} \cdot M_{LP} = C

where ELPE_{LP} is the energy-token reserve, MLPM_{LP} is the money-token reserve, and CC is a constant. Its economic clearing logic remains a constant-product swap, but the sensitive arithmetic is moved off-chain into secure multiparty computation, correctness is proved on-chain with zkSNARKs, and balances and order sizes are concealed with Pedersen commitments (Bendada et al., 26 Aug 2025).

The privacy mechanism is layered. Each participant commits to values with

Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,

which is described as binding and hiding. Traders do not reveal exact balances or order sizes to the public or to the contract. Instead, they prove in zero knowledge that balance exceeds a threshold KK. The zkSNARK construction is tied to Ethereum state by a Merkle Patricia Trie proof: the prover checks Keccak256(leafRlp)\mathrm{Keccak256}(leafRlp) against the leaf hash, decodes the balance from the leaf, checks balancekbalance \ge k, and generates a proof over the private leaf and public χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)0 (Bendada et al., 26 Aug 2025).

The swap arithmetic is computed privately by an MPC committee using secret shares and Beaver triples. For a buyer spending χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)1 to receive χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)2, the constant-product equation is expanded as

χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)3

and only the multiplication term χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)4 requires a Beaver triple. The committee generates χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)5 with χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)6, reconstructs masked differences, and computes a sharing of χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)7 with one broadcast round for the multiplication gate, which the paper describes as the minimum for actively secure Beaver-style MPC. The resulting design hides individual trade quantities, exchange rates, user balances, and intermediate arithmetic, while still making the final result auditable on-chain (Bendada et al., 26 Aug 2025).

EnerSwap is also an explicit anti-MEV architecture. The paper argues that front running, sandwich attacks, arbitrage extraction, and related MEV-style exploitation depend on visibility into pending orders and pool state. Its response is to conceal individual trade sizes and balances with commitments and ZK proofs, process trades off-chain via MPC, and reveal only the final aggregate result after completion. Under the stated blockchain assumptions, the ledger is Byzantine fault tolerant with χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)8 replicas and at most χ=({rk}k=1,,n,{pk}k=1,,n,Ω)\chi = (\{r_k\}_{k=1,\dots,n}, \{p_k\}_{k=1,\dots,n}, \Omega)9 faulty nodes (Bendada et al., 26 Aug 2025).

The implementation section provides concrete systems evidence. The proof-of-concept uses Circom, Solidity, a private 4-node Geth network, Python commitment code, SPDZ for MPC, and Hyperledger Caliper. Reported results include 0.9 s Groth16 proof generation versus 2.11 s for Plonk, 805 B versus 2300 B proof sizes, 143512 KB versus 205036 KB memory, and 218000 versus 260350 verification gas. MPC online latency rises from 7 ms with 3 peers to 33 ms with 10 peers. The Groth16 verifier reaches just over 100 TPS, while Plonk plateaus around 55 TPS. In a sharding simulation, TON latency stayed around 4.5 s, while Ethereum-PoA increased from about 4 s to 5 s and then 11 s as block gas load rose (Bendada et al., 26 Aug 2025).

More broadly, the SoK surveys infrastructure-layer and middleware-layer techniques relevant to privacy-preserving AMMs, including zero-knowledge proofs, homomorphic encryption, privacy-preserving blockchains, PBS, Ferveo, Hawk, Ekiden, Submarine Commitments, P2DEX, ZKSwap, ZEXE, Zswap, Blank, and Enigma. The same source also warns that many privacy-preserving DEX designs are hard to combine with AMMs because public reserve dynamics can still leak information even when transaction payloads are hidden (Xu et al., 2021).

3. Privacy as noisy order-flow observation

A different formulation appears in "The Privacy Subsidy: Kyle's ELPMLP=CE_{LP} \cdot M_{LP} = C0 under Noise-Perturbed Order-Flow Observation" (Nakamura, 15 May 2026). Here the privacy-preserving AMM is not primarily a cryptographic object. It is a single-period Kyle-style market in which a committed Bayesian AMM does not observe total order flow ELPMLP=CE_{LP} \cdot M_{LP} = C1 directly, but instead sees

ELPMLP=CE_{LP} \cdot M_{LP} = C2

where ELPMLP=CE_{LP} \cdot M_{LP} = C3 is independent Gaussian privacy noise. The asset value satisfies

ELPMLP=CE_{LP} \cdot M_{LP} = C4

noise-trader flow satisfies

ELPMLP=CE_{LP} \cdot M_{LP} = C5

and the informed trader submits the linear order

ELPMLP=CE_{LP} \cdot M_{LP} = C6

The market maker is a committed Bayesian AMM,

ELPMLP=CE_{LP} \cdot M_{LP} = C7

The paper emphasizes that this is not a zero-profit competitive market maker. The pricing rule is fixed mechanically, and any expected loss is borne by the LP pool or protocol treasury (Nakamura, 15 May 2026).

Under a linear equilibrium

ELPMLP=CE_{LP} \cdot M_{LP} = C8

the paper derives a unique linear Kyle equilibrium in which privacy noise rescales both the price-impact coefficient and informed-trader strategy by a single factor in the privacy parameter. Price impact falls with privacy noise, informed trading intensity rises with privacy noise, and their product is invariant:

ELPMLP=CE_{LP} \cdot M_{LP} = C9

The paper characterizes this as the survival of the “half-revealing” property under privacy. In equilibrium,

ELPE_{LP}0

so

ELPE_{LP}1

independent of privacy noise, while the conditional variance changes (Nakamura, 15 May 2026).

The paper’s main economic contribution is a welfare decomposition. Defining

ELPE_{LP}2

with the zero-sum identity ELPE_{LP}3, the equilibrium yields

ELPE_{LP}4

ELPE_{LP}5

ELPE_{LP}6

The protocol or LP pool therefore loses

ELPE_{LP}7

which the paper names the privacy subsidy. It is defined as the closed-form per-period transfer from the protocol or LP pool to traders induced by privacy-noisy observation. The paper states that stronger privacy always increases the subsidy, with

ELPE_{LP}8

and gives the asymptotics

ELPE_{LP}9

and

MLPM_{LP}0

It interprets the subsidy as the minimum fee revenue per period needed for break-even:

MLPM_{LP}1

The paper also states that this fee threshold is computed against the no-fee equilibrium, and that a per-trade fee changes incentives and may break the linear-strategy structure (Nakamura, 15 May 2026).

The primary application is shielded AMMs with explicit additive-noise injection, including differential-privacy-style noise injection and constant-function AMMs augmented by a privacy layer. The paper presents this result as the single-period closed-form privacy-noise analog of Loss-Versus-Rebalancing (LVR), with the difference that LVR is a temporal-asymmetry cost, whereas the privacy subsidy is an information-noise cost (Nakamura, 15 May 2026).

4. Continuous-time privacy subsidy and duality with LVR

"The Privacy Subsidy in Continuous-Time Kyle: Cumulative Welfare under Noise-Perturbed Order-Flow Observation" extends the same logic to the continuous-time Kyle model (Nakamura, 25 May 2026). The horizon is MLPM_{LP}2. The informed trader observes

MLPM_{LP}3

and follows the linear Markovian strategy

MLPM_{LP}4

Noise-trader flow is Brownian,

MLPM_{LP}5

and privacy is introduced by an independent Brownian channel

MLPM_{LP}6

The market maker observes

MLPM_{LP}7

and prices with

MLPM_{LP}8

Again, the AMM is committed to Bayesian pricing rather than dynamically enforcing zero market-maker profit (Nakamura, 25 May 2026).

Under the linear Markovian ansatz and the Kyle–Back full-revelation condition MLPM_{LP}9, the unique equilibrium has

CC0

Thus price impact is constant in time, posterior variance declines linearly, and insider trading intensity explodes near the horizon as in standard continuous-time Kyle/Back. The proof uses the substitution

CC1

reflecting the fact that privacy noise enlarges the market maker’s effective observation noise (Nakamura, 25 May 2026).

The cumulative AMM profit over CC2 is defined as

CC3

In equilibrium,

CC4

so the absolute transfer from the liquidity pool to traders is

CC5

The paper decomposes this welfare transfer as

CC6

CC7

CC8

Setting CC9 recovers classical Kyle–Back zero-market-maker-profit behavior (Nakamura, 25 May 2026).

A central contribution is the structural duality with LVR. The paper states that LVR is driven by price observation mismatch, while the privacy subsidy is driven by signal observation mismatch. For LVR,

Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,0

whereas for privacy,

Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,1

The shared solvency logic is

Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,2

This yields a break-even fee condition: if the protocol charges a proportional fee Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,3 on total volume Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,4, then

Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,5

so

Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,6

The paper also states that in a time-varying privacy extension, the cumulative subsidy depends only on the average noise variance

Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,7

not on how privacy noise is scheduled over time (Nakamura, 25 May 2026).

5. Design families, scope, and adjacent AMM architectures

The cited literature distinguishes between designs that are directly modeled as privacy-preserving AMMs and designs that are merely adjacent.

Design family Mechanism or interpretation Status in cited literature
Shielded AMMs with explicit additive-noise injection Gaussian privacy noise added to observable order flow Primary application of the privacy-subsidy model (Nakamura, 15 May 2026)
EnerSwap Pedersen commitments, zkSNARKs, MPC, blockchain anchoring, geo-sharding Concrete privacy-preserving AMM implementation for V2G energy trading (Bendada et al., 26 Aug 2025)
Penumbra-style batched swaps Batching reduces to Kyle with rescaled noise-trader variance Under Bayesian-MM framing, Comm(x,r)=gxhrmodp,\mathrm{Comm}(x, r) = g^{\,x} h^{\,r} \bmod p,8 exactly; does not generate the privacy subsidy in that model (Nakamura, 15 May 2026)
Suave-style sealed-bid order-flow auctions Temporal-reveal mechanism Left to separate frameworks; more naturally related to the LVR/stale-price framework (Nakamura, 15 May 2026)
Renegade-style midpoint-pegged crossings / oracle-pegged exchanges Exogenous price discovery Do not fit Kyle because the mechanism does not consume flow to set price (Nakamura, 15 May 2026)

This taxonomy matters because “privacy-preserving AMM” is not synonymous with any AMM that reduces some informational leakage. "Dynamic Exponent Market Maker: Personalized Portfolio Manager and One Pool to Trade Them All" proposes a single composite pool with a dynamic exponent vector and token-specific LP shares, but it does not introduce cryptographic privacy primitives. The paper explicitly states that the design is not privacy-preserving by itself, uses public state and deterministic math, and remains vulnerable to flash loan attacks unless additional defenses are added. It does note only weak, indirect privacy properties, such as reduced routing complexity and some aggregation of ownership through LP tokens (Kositwattanarerk, 30 Jul 2025).

Similarly, "Predictive Crypto-Asset Automated Market Making Architecture for Decentralized Finance using Deep Reinforcement Learning" is not a privacy-preserving AMM design. It augments Uniswap V3 with off-chain prediction, introduces a TEE, and mentions differential privacy and confidentiality-preserving smart-contract policies, but custody, settlement, liquidity positions, vault balances, and pool details remain on-chain and visible. The paper therefore describes a predictive, quote-driven AMM with optional confidentiality scaffolding rather than a privacy-preserving AMM in the cryptographic sense (Lim, 2022).

"Onchain Sports Betting using UBET Automated Market Maker" is likewise non-custodial and transparent rather than cryptographically private. The paper claims reduced custodial exposure and wallet-based participation, but states no explicit privacy guarantees and describes no zero-knowledge proofs, encryption, stealth addresses, mixers, or hidden order flow (Im et al., 2023).

A plausible implication is that the contemporary design space contains at least three categories: explicitly private execution systems, information-theoretic or microstructure models of privacy, and architectures that improve capital efficiency or execution structure without directly hiding state.

6. Trade-offs, misconceptions, and open problems

A common misconception is that hiding transaction payloads is sufficient. The SoK rejects that view by stressing that, in ordinary CFMMs, public reserve updates and deterministic bonding curves can allow trade inference even when some transaction details are obscured. The MEV literature adds that privacy alone is not enough if adversaries can still influence ordering after decryption or reveal; attacks may remain if parameters are revealed before execution or if reserve ratios, balances, or user intent leak structurally (Xu et al., 2021, Bartoletti et al., 2021).

A second misconception is that any non-custodial AMM is private. The cited literature does not support that equivalence. UAMM is non-custodial and transparent, not cryptographically private (Im et al., 2023). DEMM changes pool structure and routing but is not privacy-preserving by itself (Kositwattanarerk, 30 Jul 2025). The predictive RL architecture uses a TEE and mentions differential privacy requirements, but its economically relevant state remains public (Lim, 2022).

A third misconception is that privacy is economically free. The privacy-subsidy papers explicitly deny this in the committed-Bayesian-AMM setting. In both the single-period and continuous-time Kyle models, stronger privacy increases the transfer from the protocol’s LP pool to traders, and fee revenue must cover that transfer for solvency (Nakamura, 15 May 2026, Nakamura, 25 May 2026).

The open problems are correspondingly specific. The single-period privacy-subsidy paper lists Glosten–Milgrom-style bid-ask spreads under privacy noise, directional-only or bucketed privacy mechanisms, time-delayed observation, multi-period models combining LVR and privacy subsidy, formal treatment of endogenous fees and volume response, and mechanized formalization or empirical calibration as future work (Nakamura, 15 May 2026). The continuous-time extension adds the operational question of interpreting a Brownian privacy channel as a limit of finite-block deployments and calibrating fees blockwise (Nakamura, 25 May 2026). EnerSwap identifies practical trust and deployment trade-offs: dynamically selected committee nodes under a permissioned model, trusted setup for the CRS, off-chain committee communication, and a tension between strong confidentiality and market transparency (Bendada et al., 26 Aug 2025).

Across the cited work, the central difficulty is consistent. A privacy-preserving AMM must conceal or obfuscate the informational chain that allows observers to reconstruct trades from public pool dynamics, while still preserving sufficient price discovery, execution quality, solvency, and auditability to remain usable. The literature does not treat this as a solved problem. Instead, it presents privacy-preserving AMMs as an active synthesis problem at the intersection of AMM mechanism design, market microstructure, confidential computation, and MEV-resistant transaction handling (Xu et al., 2021, Bendada et al., 26 Aug 2025, Nakamura, 15 May 2026, Nakamura, 25 May 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Privacy-preserving Automated Market Maker (AMM).