\documentclass{article} \RequirePackage{amsmath} \RequirePackage{bytefield} \RequirePackage{graphicx} \RequirePackage{newtxmath} \RequirePackage{mathtools} \RequirePackage{xspace} \RequirePackage{url} \RequirePackage{changepage} \RequirePackage{enumitem} \RequirePackage{tabularx} \RequirePackage{hhline} \RequirePackage[usestackEOL]{stackengine} \RequirePackage{comment} \RequirePackage{needspace} \RequirePackage[nobottomtitles]{titlesec} \RequirePackage[hang]{footmisc} \RequirePackage{xstring} \RequirePackage[unicode,bookmarksnumbered,bookmarksopen,pdfview=Fit]{hyperref} \RequirePackage{cleveref} \RequirePackage{nameref} \RequirePackage[style=alphabetic,maxbibnames=99,dateabbrev=false,urldate=iso8601,backref=true,backrefstyle=none,backend=biber]{biblatex} \addbibresource{hush.bib} % Fonts \RequirePackage{lmodern} \RequirePackage{quattrocento} \RequirePackage[bb=ams]{mathalfa} % Quattrocento is beautiful but doesn't have an italic face. So we scale % New Century Schoolbook italic to fit in with slanted Quattrocento and % match its x height. \renewcommand{\emph}[1]{\hspace{0.15em}{\fontfamily{pnc}\selectfont\scalebox{1.02}[0.999]{\textit{#1}}}\hspace{0.02em}} % While we're at it, let's match the tt x height to Quattrocento as well. \let\oldtexttt\texttt \let\oldmathtt\mathtt \renewcommand{\texttt}[1]{\scalebox{1.02}[1.07]{\oldtexttt{#1}}} \renewcommand{\mathtt}[1]{\scalebox{1.02}[1.07]{$\oldmathtt{#1}$}} \newcommand{\zsendmany}{\textbf{z\_sendmany}} % bold but not extended \newcommand{\textbnx}[1]{{\fontseries{b}\selectfont #1}} \crefformat{footnote}{#2\footnotemark[#1]#3} \DeclareLabelalphaTemplate{ \labelelement{\field{citekey}} } \DefineBibliographyStrings{english}{ page = {page}, pages = {pages}, backrefpage = {\mbox{$\uparrow$ p\!}}, backrefpages = {\mbox{$\uparrow$ p\!}} } \setlength{\oddsidemargin}{-0.25in} \setlength{\textwidth}{7in} \setlength{\topmargin}{-0.75in} \setlength{\textheight}{9.2in} \setlength{\parindent}{0ex} \renewcommand{\arraystretch}{1.4} \overfullrule=2cm \setlength{\footnotemargin}{0.6em} \setlength{\footnotesep}{2ex} \addtolength{\skip\footins}{3ex} \renewcommand{\bottomtitlespace}{8ex} % Use rubber lengths between paragraphs to improve default pagination. % https://tex.stackexchange.com/questions/17178/vertical-spacing-pagination-and-ideal-results \setlength{\parskip}{1.5ex plus 1pt minus 1pt} \setlist[enumerate]{before=\vspace{-1ex}} \setlist[itemize]{itemsep=0.5ex,topsep=0.2ex,before=\vspace{-1ex},after=\vspace{1.5ex}} \newlist{formulae}{itemize}{3} \setlist[formulae]{itemsep=0.2ex,topsep=0ex,leftmargin=1.5em,label=,after=\vspace{1.5ex}} \newcommand{\docversion}{Pre-Release Version} \newcommand{\termbf}[1]{\textbf{#1}\xspace} \newcommand{\Hushlist}{\termbf{HushList}} \newcommand{\HushList}{\termbf{HushList}} \newcommand{\Hushlists}{\termbf{HushLists}} \newcommand{\HushLists}{\termbf{HushLists}} \newcommand{\doctitle}{Hush Version 3} \newcommand{\leadauthor}{Duke Leto} \newcommand{\keywords}{anonymity, freedom of speech, cryptographic protocols,\ electronic commerce and payment, financial privacy, proof of work, zero knowledge} \hypersetup{ pdfborderstyle={/S/U/W 0.7}, pdfinfo={ Title={\doctitle, \docversion}, Author={\leadauthor}, Keywords={\keywords} } } \makeatletter \renewcommand*{\@fnsymbol}[1]{\ensuremath{\ifcase#1\or \dagger\or \ddagger\or \mathsection\or \mathparagraph\else\@ctrerr\fi}} \makeatother \renewcommand{\sectionautorefname}{\S\!} \renewcommand{\subsectionautorefname}{\S\!} \renewcommand{\subsubsectionautorefname}{\S\!} \renewcommand{\subparagraphautorefname}{\S\!} \newcommand{\crossref}[1]{\autoref{#1}\, \emph{`\nameref*{#1}\kern -0.05em'} on p.\,\pageref*{#1}} \newcommand{\nstrut}[1]{\texorpdfstring{#1\rule[-.2\baselineskip]{0pt}{\baselineskip}}{#1}} \newcommand{\nsection}[1]{\section{\nstrut{#1}}} \newcommand{\nsubsection}[1]{\subsection{\nstrut{#1}}} \newcommand{\nsubsubsection}[1]{\subsubsection{\nstrut{#1}}} \newcommand{\introlist}{\needspace{15ex}} \newcommand{\introsection}{\needspace{30ex}} \mathchardef\mhyphen="2D % http://tex.stackexchange.com/a/309445/78411 \DeclareFontFamily{U}{FdSymbolA}{} \DeclareFontShape{U}{FdSymbolA}{m}{n}{ <-> s*[.4] FdSymbolA-Regular }{} \DeclareSymbolFont{fdsymbol}{U}{FdSymbolA}{m}{n} \DeclareMathSymbol{\smallcirc}{\mathord}{fdsymbol}{"60} \makeatletter \newcommand{\hollowcolon}{\mathpalette\hollow@colon\relax} \newcommand{\hollow@colon}[2]{ \mspace{0.7mu} \vbox{\hbox{$\m@th#1\smallcirc$}\nointerlineskip\kern.45ex \hbox{$\m@th#1\smallcirc$}\kern-.06ex} \mspace{1mu} } \makeatother \newcommand{\typecolon}{\;\hollowcolon\;} % We just want one ampersand symbol from boisik. \DeclareSymbolFont{bskadd}{U}{bskma}{m}{n} \DeclareFontFamily{U}{bskma}{\skewchar\font130 } \DeclareFontShape{U}{bskma}{m}{n}{<->bskma10}{} \DeclareMathSymbol{\binampersand}{\mathbin}{bskadd}{"EE} \newcommand{\hairspace}{~\!} \newcommand{\hparen}{\hphantom{(}} \newcommand{\hfrac}[2]{\scalebox{0.8}{$\genfrac{}{}{0.5pt}{0}{#1}{#2}$}} \RequirePackage[usenames,dvipsnames]{xcolor} % https://en.wikibooks.org/wiki/LaTeX/Colors#The_68_standard_colors_known_to_dvips \newcommand{\todo}[1]{{\color{Sepia}\sf{TODO: #1}}} \newcommand{\changedcolor}{magenta} \newcommand{\setchanged}{\color{\changedcolor}} \newcommand{\changed}[1]{\texorpdfstring{{\setchanged{#1}}}{#1}} % terminology \newcommand{\term}[1]{\textsl{#1}\kern 0.05em\xspace} \newcommand{\titleterm}[1]{#1} \newcommand{\quotedterm}[1]{``~\!\!\term{#1}''} \newcommand{\conformance}[1]{\textbnx{#1}\xspace} \newcommand{\Zcash}{\termbf{Zcash}} \newcommand{\Hush}{\termbf{Hush}} \newcommand{\Zerocash}{\termbf{Zerocash}} \newcommand{\Bitcoin}{\termbf{Bitcoin}} \newcommand{\CryptoNote}{\termbf{CryptoNote}} \newcommand{\ZEC}{\termbf{ZEC}} \newcommand{\ZEN}{\termbf{ZEN}} \newcommand{\ZCL}{\termbf{ZCL}} \newcommand{\KMD}{\termbf{KMD}} \newcommand{\BTCH}{\termbf{BTCH}} \newcommand{\BTCP}{\termbf{BTCP}} \newcommand{\ZAU}{\termbf{ZAU}} \newcommand{\VOT}{\termbf{VOT}} \newcommand{\BTCZ}{\termbf{BTCZ}} \newcommand{\LTZ}{\termbf{LTZ}} \newcommand{\HUSH}{\termbf{HUSH}} \newcommand{\zatoshi}{\term{zatoshi}} \newcommand{\puposhi}{\term{puposhi}} \newcommand{\zcashd}{\textsf{zcashd}\,} \newcommand{\hushd}{\textsf{hushd}\,} \newcommand{\MUST}{\conformance{MUST}} \newcommand{\MUSTNOT}{\conformance{MUST NOT}} \newcommand{\SHOULD}{\conformance{SHOULD}} \newcommand{\SHOULDNOT}{\conformance{SHOULD NOT}} \newcommand{\ALLCAPS}{\conformance{ALL CAPS}} \newcommand{\note}{\term{note}} \newcommand{\notes}{\term{notes}} \newcommand{\Note}{\titleterm{Note}} \newcommand{\Notes}{\titleterm{Notes}} \newcommand{\dummy}{\term{dummy}} \newcommand{\dummyNotes}{\term{dummy notes}} \newcommand{\DummyNotes}{\titleterm{Dummy Notes}} \newcommand{\commitmentScheme}{\term{commitment scheme}} \newcommand{\commitmentTrapdoor}{\term{commitment trapdoor}} \newcommand{\commitmentTrapdoors}{\term{commitment trapdoors}} \newcommand{\trapdoor}{\term{trapdoor}} \newcommand{\noteCommitment}{\term{note commitment}} \newcommand{\noteCommitments}{\term{note commitments}} \newcommand{\NoteCommitment}{\titleterm{Note Commitment}} \newcommand{\NoteCommitments}{\titleterm{Note Commitments}} \newcommand{\noteCommitmentTree}{\term{note commitment tree}} \newcommand{\NoteCommitmentTree}{\titleterm{Note Commitment Tree}} \newcommand{\noteTraceabilitySet}{\term{note traceability set}} \newcommand{\noteTraceabilitySets}{\term{note traceability sets}} \newcommand{\joinSplitDescription}{\term{JoinSplit description}} \newcommand{\joinSplitDescriptions}{\term{JoinSplit descriptions}} \newcommand{\JoinSplitDescriptions}{\titleterm{JoinSplit Descriptions}} \newcommand{\sequenceOfJoinSplitDescriptions}{\changed{sequence of} \joinSplitDescription\changed{\term{s}}\xspace} \newcommand{\joinSplitTransfer}{\term{JoinSplit transfer}} \newcommand{\joinSplitTransfers}{\term{JoinSplit transfers}} \newcommand{\JoinSplitTransfer}{\titleterm{JoinSplit Transfer}} \newcommand{\JoinSplitTransfers}{\titleterm{JoinSplit Transfers}} \newcommand{\joinSplitSignature}{\term{JoinSplit signature}} \newcommand{\joinSplitSignatures}{\term{JoinSplit signatures}} \newcommand{\joinSplitSigningKey}{\term{JoinSplit signing key}} \newcommand{\joinSplitVerifyingKey}{\term{JoinSplit verifying key}} \newcommand{\joinSplitStatement}{\term{JoinSplit statement}} \newcommand{\joinSplitStatements}{\term{JoinSplit statements}} \newcommand{\JoinSplitStatement}{\titleterm{JoinSplit Statement}} \newcommand{\joinSplitProof}{\term{JoinSplit proof}} \newcommand{\statement}{\term{statement}} \newcommand{\zeroKnowledgeProof}{\term{zero-knowledge proof}} \newcommand{\ZeroKnowledgeProofs}{\titleterm{Zero-Knowledge Proofs}} \newcommand{\provingSystem}{\term{proving system}} \newcommand{\zeroKnowledgeProvingSystem}{\term{zero-knowledge proving system}} \newcommand{\ZeroKnowledgeProvingSystem}{\titleterm{Zero-Knowledge Proving System}} \newcommand{\ppzkSNARK}{\term{preprocessing zk-SNARK}} \newcommand{\provingKey}{\term{proving key}} \newcommand{\zkProvingKeys}{\term{zero-knowledge proving keys}} \newcommand{\verifyingKey}{\term{verifying key}} \newcommand{\zkVerifyingKeys}{\term{zero-knowledge verifying keys}} \newcommand{\joinSplitParameters}{\term{JoinSplit parameters}} \newcommand{\JoinSplitParameters}{\titleterm{JoinSplit Parameters}} \newcommand{\arithmeticCircuit}{\term{arithmetic circuit}} \newcommand{\rankOneConstraintSystem}{\term{Rank 1 Constraint System}} \newcommand{\primary}{\term{primary}} \newcommand{\primaryInput}{\term{primary input}} \newcommand{\primaryInputs}{\term{primary inputs}} \newcommand{\auxiliaryInput}{\term{auxiliary input}} \newcommand{\auxiliaryInputs}{\term{auxiliary inputs}} \newcommand{\fullnode}{\term{full node}} \newcommand{\fullnodes}{\term{full nodes}} \newcommand{\anchor}{\term{anchor}} \newcommand{\anchors}{\term{anchors}} \newcommand{\UTXO}{\term{UTXO}} \newcommand{\UTXOs}{\term{UTXOs}} \newcommand{\block}{\term{block}} \newcommand{\blocks}{\term{blocks}} \newcommand{\header}{\term{header}} \newcommand{\headers}{\term{headers}} \newcommand{\blockHeader}{\term{block header}} \newcommand{\blockHeaders}{\term{block headers}} \newcommand{\Blockheader}{\term{Block header}} \newcommand{\BlockHeader}{\titleterm{Block Header}} \newcommand{\blockVersionNumber}{\term{block version number}} \newcommand{\blockVersionNumbers}{\term{block version numbers}} \newcommand{\Blockversions}{\term{Block versions}} \newcommand{\blockTime}{\term{block time}} \newcommand{\blockHeight}{\term{block height}} \newcommand{\blockHeights}{\term{block heights}} \newcommand{\genesisBlock}{\term{genesis block}} \newcommand{\transaction}{\term{transaction}} \newcommand{\transactions}{\term{transactions}} \newcommand{\Transactions}{\titleterm{Transactions}} \newcommand{\transactionFee}{\term{transaction fee}} \newcommand{\transactionFees}{\term{transaction fees}} \newcommand{\transactionVersionNumber}{\term{transaction version number}} \newcommand{\transactionVersionNumbers}{\term{transaction version numbers}} \newcommand{\Transactionversion}{\term{Transaction version}} \newcommand{\coinbaseTransaction}{\term{coinbase transaction}} \newcommand{\coinbaseTransactions}{\term{coinbase transactions}} \newcommand{\CoinbaseTransactions}{\titleterm{Coinbase Transactions}} \newcommand{\transparent}{\term{transparent}} \newcommand{\xTransparent}{\term{Transparent}} \newcommand{\Transparent}{\titleterm{Transparent}} \newcommand{\transparentValuePool}{\term{transparent value pool}} \newcommand{\deshielding}{\term{deshielding}} \newcommand{\shielding}{\term{shielding}} \newcommand{\shielded}{\term{shielded}} \newcommand{\shieldedXTN}{\term{shielded} $ t \rightarrow z $ transaction} \newcommand{\shieldedXTNs}{\term{shielded} $ t \rightarrow z $ transactions} \newcommand{\shieldedNote}{\term{shielded note}} \newcommand{\shieldedNotes}{\term{shielded notes}} \newcommand{\xShielded}{\term{Shielded}} \newcommand{\Shielded}{\titleterm{Shielded}} \newcommand{\blockchain}{\term{block chain}} \newcommand{\blockchains}{\term{block chains}} \newcommand{\mempool}{\term{mempool}} \newcommand{\treestate}{\term{treestate}} \newcommand{\treestates}{\term{treestates}} \newcommand{\nullifier}{\term{nullifier}} \newcommand{\nullifiers}{\term{nullifiers}} \newcommand{\xNullifiers}{\term{Nullifiers}} \newcommand{\Nullifier}{\titleterm{Nullifier}} \newcommand{\Nullifiers}{\titleterm{Nullifiers}} \newcommand{\nullifierSet}{\term{nullifier set}} \newcommand{\NullifierSet}{\titleterm{Nullifier Set}} % Daira: This doesn't adequately distinguish between zk stuff and transparent stuff \newcommand{\paymentAddress}{\term{payment address}} \newcommand{\paymentAddresses}{\term{payment addresses}} \newcommand{\viewingKey}{\term{viewing key}} \newcommand{\viewingKeys}{\term{viewing keys}} \newcommand{\spendingKey}{\term{spending key}} \newcommand{\spendingKeys}{\term{spending keys}} \newcommand{\payingKey}{\term{paying key}} \newcommand{\transmissionKey}{\term{transmission key}} \newcommand{\transmissionKeys}{\term{transmission keys}} \newcommand{\keyTuple}{\term{key tuple}} \newcommand{\notePlaintext}{\term{note plaintext}} \newcommand{\notePlaintexts}{\term{note plaintexts}} \newcommand{\NotePlaintexts}{\titleterm{Note Plaintexts}} \newcommand{\notesCiphertext}{\term{transmitted notes ciphertext}} \newcommand{\incrementalMerkleTree}{\term{incremental Merkle tree}} \newcommand{\merkleRoot}{\term{root}} \newcommand{\merkleNode}{\term{node}} \newcommand{\merkleNodes}{\term{nodes}} \newcommand{\merkleHash}{\term{hash value}} \newcommand{\merkleHashes}{\term{hash values}} \newcommand{\merkleLeafNode}{\term{leaf node}} \newcommand{\merkleLeafNodes}{\term{leaf nodes}} \newcommand{\merkleInternalNode}{\term{internal node}} \newcommand{\merkleInternalNodes}{\term{internal nodes}} \newcommand{\MerkleInternalNodes}{\term{Internal nodes}} \newcommand{\merklePath}{\term{path}} \newcommand{\merkleLayer}{\term{layer}} \newcommand{\merkleLayers}{\term{layers}} \newcommand{\merkleIndex}{\term{index}} \newcommand{\merkleIndices}{\term{indices}} \newcommand{\zkSNARK}{\term{zk-SNARK}} \newcommand{\zkSNARKs}{\term{zk-SNARKs}} \newcommand{\libsnark}{\term{libsnark}} \newcommand{\memo}{\term{memo field}} \newcommand{\memos}{\term{memo fields}} \newcommand{\Memos}{\titleterm{Memo Fields}} \newcommand{\keyAgreementScheme}{\term{key agreement scheme}} \newcommand{\KeyAgreement}{\titleterm{Key Agreement}} \newcommand{\keyDerivationFunction}{\term{Key Derivation Function}} \newcommand{\KeyDerivation}{\titleterm{Key Derivation}} \newcommand{\encryptionScheme}{\term{encryption scheme}} \newcommand{\symmetricEncryptionScheme}{\term{authenticated one-time symmetric encryption scheme}} \newcommand{\SymmetricEncryption}{\titleterm{Authenticated One-Time Symmetric Encryption}} \newcommand{\signatureScheme}{\term{signature scheme}} \newcommand{\pseudoRandomFunction}{\term{Pseudo Random Function}} \newcommand{\pseudoRandomFunctions}{\term{Pseudo Random Functions}} \newcommand{\PseudoRandomFunctions}{\titleterm{Pseudo Random Functions}} % conventions \newcommand{\bytes}[1]{\underline{\raisebox{-0.22ex}{}\smash{#1}}} \newcommand{\zeros}[1]{[0]^{#1}} \newcommand{\bit}{\mathbb{B}} \newcommand{\Nat}{\mathbb{N}} \newcommand{\PosInt}{\mathbb{N}^+} \newcommand{\Rat}{\mathbb{Q}} \newcommand{\typeexp}[2]{{#1}\vphantom{)}^{[{#2}]}} \newcommand{\bitseq}[1]{\typeexp{\bit}{#1}} \newcommand{\byteseqs}{\typeexp{\bit}{8\mult\Nat}} \newcommand{\concatbits}{\mathsf{concat}_\bit} \newcommand{\listcomp}[1]{[~{#1}~]} \newcommand{\for}{\text{ for }} \newcommand{\from}{\text{ from }} \newcommand{\upto}{\text{ up to }} \newcommand{\downto}{\text{ down to }} \newcommand{\squash}{\!\!\!} \newcommand{\caseif}{\squash\text{if }} \newcommand{\caseotherwise}{\squash\text{otherwise}} \newcommand{\sorted}{\mathsf{sorted}} \newcommand{\length}{\mathsf{length}} \newcommand{\mean}{\mathsf{mean}} \newcommand{\median}{\mathsf{median}} \newcommand{\clamp}[2]{\mathsf{clamp\,}_{#1}^{#2}} \newcommand{\Lower}{\mathsf{lower}} \newcommand{\Upper}{\mathsf{upper}} \newcommand{\bitlength}{\mathsf{bitlength}} \newcommand{\size}{\mathsf{size}} \newcommand{\mantissa}{\mathsf{mantissa}} \newcommand{\ToCompact}{\mathsf{ToCompact}} \newcommand{\ToTarget}{\mathsf{ToTarget}} \newcommand{\hexint}[1]{\mathbf{0x{#1}}} \newcommand{\dontcare}{\kern -0.06em\raisebox{0.1ex}{\footnotesize{$\times$}}} \newcommand{\ascii}[1]{\textbf{``\texttt{#1}"}} \newcommand{\Justthebox}[2][-1.3ex]{\;\raisebox{#1}{\usebox{#2}}\;} \newcommand{\hSigCRH}{\mathsf{hSigCRH}} \newcommand{\hSigLength}{\mathsf{\ell_{hSig}}} \newcommand{\hSigType}{\bitseq{\hSigLength}} \newcommand{\EquihashGen}[1]{\mathsf{EquihashGen}_{#1}} \newcommand{\CRH}{\mathsf{CRH}} \newcommand{\CRHbox}[1]{\SHA\left(\Justthebox{#1}\right)} \newcommand{\SHA}{\mathtt{SHA256Compress}} \newcommand{\SHAName}{\term{SHA-256 compression}} \newcommand{\FullHash}{\mathtt{SHA256}} \newcommand{\FullHashName}{\mathsf{SHA\mhyphen256}} \newcommand{\Blake}[1]{\mathsf{BLAKE2b\kern 0.05em\mhyphen{#1}}} \newcommand{\BlakeGeneric}{\mathsf{BLAKE2b}} \newcommand{\FullHashbox}[1]{\FullHash\left(\Justthebox{#1}\right)} \newcommand{\setof}[1]{\{{#1}\}} \newcommand{\range}[2]{\{{#1}\,..\,{#2}\}} \newcommand{\minimum}{\mathsf{min}} \newcommand{\maximum}{\mathsf{max}} \newcommand{\floor}[1]{\mathsf{floor}\!\left({#1}\right)} \newcommand{\trunc}[1]{\mathsf{trunc}\!\left({#1}\right)} \newcommand{\ceiling}[1]{\mathsf{ceiling}\left({#1}\right)} \newcommand{\vsum}[2]{\smashoperator[r]{\sum_{#1}^{#2}}} \newcommand{\vxor}[2]{\smashoperator[r]{\bigoplus_{#1}^{#2}}} \newcommand{\xor}{\oplus} \newcommand{\band}{\binampersand} \newcommand{\mult}{\cdot} \newcommand{\rightarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\rightarrow} \newcommand{\leftarrowR}{\buildrel{\scriptstyle\mathrm{R}}\over\leftarrow} \newcommand{\JoinSplit}{\text{\footnotesize\texttt{JoinSplit}}} \newcommand{\affiliation}{\hairspace$^\dagger$\;} \newcommand{\affiliationDuke}{\hairspace$^\ddagger$\;} \begin{document} \title{\doctitle \\ \Large \docversion} \author{ \Large \leadauthor\hairspace\thanks{\;duke@leto.net} } \date{\today} \maketitle \renewcommand{\abstractname}{} \vspace{-8ex} \begin{abstract} \normalsize \noindent \textbf{Abstract.} \Hush originally was a source code fork of the \Zcash 1.0.8 codebase. Hush was originally called "Zdash" and mined a genesis block on Nov 17, 2016. The latest version of \Hush migrates to a new codebase with a new genesis block while keeping the emission schedule as close as possible to the original intentions \vspace{2.5ex} \noindent \textbf{Keywords:}~ \StrSubstitute[0]{\keywords}{,}{, }. \end{abstract} \vspace{-10ex} \phantomsection \addcontentsline{toc}{section}{\Large\nstrut{Contents}} \renewcommand{\contentsname}{} % http://tex.stackexchange.com/a/182744/78411 \renewcommand{\baselinestretch}{0.85}\normalsize \tableofcontents \renewcommand{\baselinestretch}{1.0}\normalsize \newpage \nsection{Introduction} \nsection{Things Staying The Same} \begin{itemize} \item 21M total supply \item Block reward \item Block time \item Halving interval \item Delayed-Proof-Of-Work \end{itemize} \nsection{Things Changing} \begin{itemize} \item New Genesis Block \item Sprout Disabled \item First Pure Sapling Chain, with Super Fast Shielded Transactions \item s/ZEC/KMD/ as upstream \item New main Github repo \item Addition of 10\% Founders Reward \item Address prefix change (t1,t3 becomes R,b) \item RPC and P2P ports \item Enable CryptoConditions (Custom Consensus) \item Improved Difficulty Adjustment Algorithm (LWMA-jl777) \item Block Size increase to 4MB \item Shielding Rule \item TLS Support \end{itemize} \begin{quote} Governments can be useful to the governed only so long as inherent tendencies toward tyranny are restrained. - The Stolen Journals \end{quote} \nsection{First Pure Sapling Blockchain} HUSH is proud to be the very first pure Sapling blockchain! HUSH enables Sapling at Block 1, which means no Sprout UTXOs will ever exist on our new blockchain. This removes any future risk of Sprout bugs/CVEs and drastically reduces the maintenance cost going forward, as Sprout code and Sapling code are different codepaths and so supporting Sprout at least doubles the amount of code to maintain. No other blockchain has started as a pure Sapling chain, all other existing Zcash source code forks have transitioned from Sprout to Sapling. \nsection{10\% Founders Reward} HUSHv3 adds a 10\% Founders Reward, in perpetuity, until block rewards end. This is approximately 5.5 million blocks or about 30 years. The Founders Reward is paid out every block in vout\[1\] to a single address of type "pubkeyhash": RHushEyeDm7XwtaTWtyCbjGQumYyV8vMjn with scriptPubKey 76a9145eb10cf64f2bab1b457f1f25e658526155928fac88ac Initially the Founders Reward is 1.25 HUSH, starting at Block 129 until the first halving on the new chain at Block 340000. In order to help transition, there will be a period of 128 blocks of zero block reward, which enables the new mainnet to be started just before our snapshot block, ready for miners to switch over. This also allows mining necessary blocks to start the chain and dispersing funds without developers unfarily earning many of the early block rewards. This corresponds to roughly 6hrs but our block times are not expected to converge to 150 seconds for a few days, so it is a rough estimate. \nsection{New Upstream: KMD} HUSH is no longer directly a source code fork of Zcash (ZEC), it is now a fork of Komodo (KMD). Since KMD itself is a fork of ZEC, this means we gain an immense amount of code and features, and all the development velocity of jl777. As an example, during the development of HUSHv3, over the course of a few weeks, about 20,000 lines of code was changed in upstream Komodo repo, adding many features and fixing various bugs. We expect to see the developement velocity of the HUSH community greatly increase, since we will now essentially have jl777 constantly doing low-level blockchain internals coding, which frees up other developer resources to work on wallets, explorers, HushList protocol and applications which sit on top of the RPC interface. HUSHv3 is a source code fork of the jl777/komodo git repository and live at https://github.com/MyHush/hush3 As of Block 500,000, the legacy Hush network and codebase is unsupported. The network is not being forcibly turned off, those that want are free to use it, and use any encrypted data they may have in memo fields. \nsection{CryptoConditions} CryptoConditions are UTXO-based smart contracts and also an IETF standard: https://tools.ietf.org/html/draft-thomas-crypto-conditions-04 Hush will enable the following CryptoConditions initially, and plans to enable others as time goes on: \begin{itemize} \item Heir - cryptocoin inheritance \item Gateway \item Oracle \item Channel \item Faucet \end{itemize} These features will allow for an entire ecosystem of decentralized applications (dApps) to be built on top of HUSH, which integrate with HushList protocol as well as cross-chain integrations with other Komodo asset chains that have cryptoconditions enabled. \nsection{Hush v1-v2 Total Supply Bug} \begin{quote} To save one from a mistake is a gift of paradise. - Stilgar to Lady Jessica \end{quote} The original Hush devs added the original pre-mine in such a way that Hush would have a supply greater than the intended 21,000,000 after about 30 years. This fact was discovered in the process of emulating the current Hush supply curve (halving interval) on our new Komodo-based chain. This bug will be corrected on our new chain (Hush v3) by ceasing block rewards when total supply hits 21M coins, as intended. As a reminder, NONE of the current Hush team received any the original 0.76\% (160,000 HUSH) pre-mine. All of the original Hush developers who received the reward have long since left the project. The current Hush chain (version 2) will attain a supply of 21,000,000 coins at Block 5922239 which will have a Block Reward of 0.09765625 HUSH. This happens between the 7th and 8th halvings. But because the original devs of Hush added a pre-mine of 160,000 HUSH in blocks 1 through 4, the current Hush supply curve will continue past the 21M supply mark until Block 26039999 when supply is 21159937.4895 HUSH and the last block reward of 1 satoshi is awarded just before the 31st halving. The core issue is that blocks 1 through 4 had a block reward of 40,000 each instead of 12.5 each in the GetBlockSubsidy() function defined in main.cpp, but the overall emission schedule was not modified to take this into account. This mistake would eventually lead to an extra 159,937.4895 HUSH of total supply beyond the intended totaly supply of 21M, which would happen after about 30 years, between the 7th and 8th halvings. This bug in the supply curve of Hush will be fixed during the migration to a Komodo asset chain, where we can use ac\_end=N to specify a block when block rewards should cease. This will allow us to enforce the intended 21M total supply of Hush. To calculate the value of ac\_end for the new Hush chain: ac\_end = 5922239 - (number of blocks in old Hush chain) - (zero block reward transition period) ac\_end = 5922239 - 500000 - 128 ac\_end = 5422111 To clarify, Hush will have a consensus rule that block rewards stop at block 5422111 which will enforce a total supply of 21M coins. \nsection{New Blockchain Size} The Hush blockchain will essentially be compressed, down from its current size of about 3.4GB to a few megabytes. This is related to the fact that there are about 30,000 unique addresses on the Hush blockchain which contain funds. This compression will greatly improve the user experience of new Hush users, which can install and sync a full node in just a few minutes. \nsection{Delayed Proof-Of-Work} \begin{quote} May thy knife chip and shatter. - Fremen saying of ill will against an adversary \end{quote} HUSH will continue to have Delayed Proof-of-Work as protection against 51\% attacks and double spend attack prevention. No other technology is proven in production like DPoW. The current implementation of DPoW in Hush v2 was tested in a test attack. A large amount of hashrate was rented at NiceHash, and a 51\% attack was attempted, which would re-organized a notarized block. The attack repeatedly failed and wasted a large amount of BTC of the simulated attacker. HUSHv3 will be migrating to the core DPoW implementation of Komodo itself, instead of relying on the implementation that was ported from Komodo to the Hush v2 codebase. This further increases HUSH development velocity and reduces our maintenance burden to merge upstream code. \nsection{Cryptopia Attack} Delayed-Proof-of-Work had been implemented in Hush in early 2018 but took many months to finish testing and be pushed to mainnet. During this time, an enterprising attacker probably saw that their window to attack HUSH was closing. This attacker performed a series of 51\% and double spend attacks against Cryptopia, between August 28th and September 21st 2018 It was designed to use amounts small enough to evade daily limits or fraud detection. There were dozens of block reorganizations longer than branchLen=2, the largest being a reorganization of: \begin{quote} At Fri, 21 Sep 2018 07:00:50 GMT the subchain 00000009abdccd07615216765b17f99fbfc50e4106efe7bee2e4ca22810b0fa3.. 000000028afb1daccbd0ac17d8685deeb0d072fdc5d4609209dd68675f873611 (46 blocks) was orphaned and replaced by 00000009abdccd07615216765b17f99fbfc50e4106efe7bee2e4ca22810b0fa3.. 000000038aadc3d77ae6df320e51168e6215f9abe62b65b51633715f719773bc (45 blocks) \end{quote} Note that the above block hashes must be looked up on a legacy HUSH block explorer such as https://explorer.hush.zelcore.io and additionally, the orphaned block will not be in the main chain and only will exist as an orphaned block on nodes which originally saw that invalidated chain. Via blockchain analysis and detailed transaction logs from Cryptopia, who gave us details about which addresses the attacker was using, it was determined that the following addresses are owned by the Cryptopia Double Spend Attacker, with old HUSH v2 addresses on the left and new HUSH v3 addresses on the right. \begin{quote} 651000 HUSH t1bEBr1LdBQtHun7B5L82R65FgpWyyWFx8L = RSdmvBomouuGP9RUc5J2NoJYCRnVqT3j5V 29279.8 HUSH t1KttMaacGw17oFitV448TGfwM2yovm4g6Q = RBJURm3kuS26Gd3C1oE8QyuDreFKpkNT2Z \end{quote} These two addresses own a total of ~680,000 HUSH which was not dispersed to the equivalent addresses on the new HUSH v3 mainnet. These funds currently remain in the HUSH Founders Reward wallet and will be used to reimburse all who were stolen from at Cryptopia, which will enable HUSH trading to resume. Any remaining funds will be used for additional exchange listings. \nsection{Immutability of HUSH v2 + v3} Please note that the immutability of the legacy Hush mainnet or new Hush v3 mainnet was never compromised. The Bitcoin Protocol was observed strictly and Hush did not do what other coins have done in similar situations which is to actually backdoor the Bitcoin Protocol itself, and make it such that certain pubkeys can make transactions which they shouldn't, to spend funds which were lost or stolen, etc. This was deemed unacceptable, for obvious moral, security and financial reasons. Instead, we have chosen to keep our original intentations, which is that we do not believe that forcibly turning off peoples nodes is right. So people on the legacy Hush chain are free to continue using it. They should note, that the Sprout Inflation bug is still waiting to be exploited there and that DPoW is no longer active (the last notarization was Block 501080), so 51\% attackers have a playground. Every user of Hush gets to decide if they choose to keep using the v2 or v3 chain and no user is forced to use either. This way embraces decentralization at the very core, since we do not force our choices upon our users. They get to decide which chain goes forward. \nsection{Sprout Inflation Bug Playground} Let it be known that HUSH v2 mainnet is considered a Sprout Inflation bug playground, and there is a bounty of 500 HUSH for a script which makes it trivial to exploit the Sprout inflation bug and generate arbitrary amounts of funds insize of a Sprout zaddr. Developers and information security researchers are directed here for more info: https://github.com/MyHush/hush3/issues/7 \nsection{Dispersing Funds To The New Mainnet: Swapping Airdrop} This process is sometimes called an "airdrop" because the technical process of sending funds to addresses is the same, but HUSH v3 is technically a "coin swap", since we do not support our legacy chain. A total of 3127 transactions with "sendmany" were made to complete sending funds to ~31,000 unique addresses which contained funds on the Hush v2 blockchain as of the snapshot block of 500,000. This data was extracted via the "getsnapshot" RPC which I helped write for Komodo and ported to Hush v2. Full data is available here: https://github.com/MyHush/hush3/blob/duke/contrib/snapshot/snapshot\_500000.json The actual script used to disperse funds can be found here: https://github.com/MyHush/hush3/blob/duke/contrib/snapshot/airdrop\_hush3.sh \nsection{Special Thanks} Special thanks to jl777 and the greater Komodo community for inspiring a new generation of cypherpunks to innovate outside the constraints of Bitcoin and Zcash core communities. Special thanks to radix42, Savior Of The Memo Field, for mentoring me in my early days as a cryptocoin dev. \nsection{References} \begingroup \hfuzz=2pt \renewcommand{\section}[2]{} \renewcommand{\emph}[1]{\textit{#1}} \printbibliography \endgroup \end{document}