How many addresses can be stored in a Hush lite or full wallet? #3

TLDR

At least 2.1 billion.

Some details

More addresses than you are likely to ever want or need. Somewhere between 2^87 (1.54e26) and 2^256 (1.15e77) in theory. The upper bound is close to the number of atoms in the universe (1e80). The real limit is going to be bounded by hardware or software limitations, such as RAM/disk space or internals limitations such as using a 32 or 64 byte datatype for something which in theory could more values than that.

In fact, Zcash and Hush full nodes currently use a 32 byte counter and therefore can only store 2^31 - 2 (2147483646) Sapling zaddrs in a single wallet.

It is possible that light wallets use a 64 bit counter and could potentially have many more zaddrs. There is no specification for Zcash lite wallets (ZIP39 doesn't exist) so it's the Wild West.

Possibly Too Many Details

Firstly, a 24 word seedphrase is just a way to store the "seed" of a Hierarchical Deterministic (HD) Wallet. So the number of addresses a lite wallet (like SDL) can store is the same (in theory) as the number a full node wallet can store.

Originally the very first Bitcoin wallets where not HD, every address was "on it's own", not related to other addresses in the wallet. This led to problems when backing up wallets. If a new address was added since the last time you backed up a wallet, there was no way to know what that new address was. There was no relation between addresses. HD fixes that by making addresses related to each other. They are a sequence of addresses such that if you know the "seed" you can generate the sequence of addresses and recover lost funds. This means if you ever made a single backup of a wallet, then you can recover funds from any address it might create, which is a very important property.

HD wallets are defined in BIP32 https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki and then extended in ZIP32 for Zcash Protocol: https://github.com/zcash/zips/blob/main/zip-0032.rst

Hush follows an older version of ZIP32, before Orchard addresses were introduced, since Hush does not use them. The Sapling part of ZIP32 is what is relevant to Hush wallets.

HD wallets have a tree-like structure that is very general, and most software does not allow for every possibility even though it's allowed by the spec. There is a concept called an "account" which is like a bucket of addresses inside the HD wallet and each of these buckets have related addresses. Since account is defined as a 4 byte value (32 bits) it has 2^5=32 possible values. Each account has roughly 2^87 usable payment addresses. Multiplying these together gives 2^87*2^5=2^92 shielded payment addresses across all accounts. So we can have at least 2^92 zaddrs in a wallet, but taddrs are also possible, even though they can only be used for mining on the Hush network.

There are only 2^160 different potential public+private keypairs (addresses) possible with Bitcoin, which is related to the the use of RIPEMD160. Sapling shielded addresses use an elliptic curve called BLS12-381 https://electriccoin.co/blog/new-snark-curve/ which uses a field of order ~2^254 which means there are 2^254 elements but some may not be valid. So taking into account taddrs + zaddrs, we have potentially 2^160 + 2^254 addresses potentially possible in a wallet.

So yeah, you could say it's complicated. You can store more addresses in a wallet than you will ever want or need, at least 2.1 billion due to current technical limitations and potentially up to 2^64 in lite wallets that use a 64 bit datatype.

Links

Error message when too many zaddrs are stored in a ZEC wallet: https://github.com/zcash/zcash/pull/5849/files#diff-1f2db0e4d5c12d109c7f0962333c245b49b696cb39ff432da048e9d6c08944d8R528

## TLDR At least 2.1 billion. ## Some details More addresses than you are likely to ever want or need. Somewhere between 2^87 (1.54e26) and 2^256 (1.15e77) in theory. The upper bound is close to the number of atoms in the universe (1e80). The real limit is going to be bounded by hardware or software limitations, such as RAM/disk space or internals limitations such as using a 32 or 64 byte datatype for something which in theory could more values than that. In fact, Zcash and Hush full nodes currently use a 32 byte counter and therefore can only store 2^31 - 2 (2147483646) Sapling zaddrs in a single wallet. It is possible that light wallets use a 64 bit counter and could potentially have many more zaddrs. There is no specification for Zcash lite wallets (ZIP39 doesn't exist) so it's the Wild West. ## Possibly Too Many Details Firstly, a 24 word seedphrase is just a way to store the "seed" of a Hierarchical Deterministic (HD) Wallet. So the number of addresses a lite wallet (like SDL) can store is the same (in theory) as the number a full node wallet can store. Originally the very first Bitcoin wallets where not HD, every address was "on it's own", not related to other addresses in the wallet. This led to problems when backing up wallets. If a new address was added since the last time you backed up a wallet, there was no way to know what that new address was. There was no relation between addresses. HD fixes that by making addresses related to each other. They are a sequence of addresses such that if you know the "seed" you can generate the sequence of addresses and recover lost funds. This means if you ever made a single backup of a wallet, then you can recover funds from any address it might create, which is a very important property. HD wallets are defined in BIP32 https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki and then extended in ZIP32 for Zcash Protocol: https://github.com/zcash/zips/blob/main/zip-0032.rst Hush follows an older version of ZIP32, before Orchard addresses were introduced, since Hush does not use them. The Sapling part of ZIP32 is what is relevant to Hush wallets. HD wallets have a tree-like structure that is very general, and most software does not allow for every possibility even though it's allowed by the spec. There is a concept called an "account" which is like a bucket of addresses inside the HD wallet and each of these buckets have related addresses. Since account is defined as a 4 byte value (32 bits) it has 2^5=32 possible values. Each account has roughly 2^87 usable payment addresses. Multiplying these together gives `2^87*2^5=2^92` shielded payment addresses across all accounts. So we can have at least 2^92 zaddrs in a wallet, but taddrs are also possible, even though they can only be used for mining on the Hush network. There are only 2^160 different potential public+private keypairs (addresses) possible with Bitcoin, which is related to the the use of RIPEMD160. Sapling shielded addresses use an elliptic curve called BLS12-381 https://electriccoin.co/blog/new-snark-curve/ which uses a field of order ~2^254 which means there are 2^254 elements but some may not be valid. So taking into account taddrs + zaddrs, we have potentially `2^160 + 2^254` addresses potentially possible in a wallet. So yeah, you could say it's complicated. You can store more addresses in a wallet than you will ever want or need, at least 2.1 billion due to current technical limitations and potentially up to 2^64 in lite wallets that use a 64 bit datatype. ## Links Error message when too many zaddrs are stored in a ZEC wallet: https://github.com/zcash/zcash/pull/5849/files#diff-1f2db0e4d5c12d109c7f0962333c245b49b696cb39ff432da048e9d6c08944d8R528