HushList Protocol Whitepaper
\title{\doctitle \\
\Large \docversion}
\Large \leadauthor\hairspace\thanks{\;Hush Core Developers} \\
\Large \coauthora\affiliation }
\normalsize \noindent \textbf{Abstract.}
\HushList is a protocol for mailing lists using the encrypted memo
field of the \Zcash protocol. It supports anonymous and pseudonymous senders, receivers and Hushlist creators, as
well as public and private lists. The HushList protocol can run on any fork of \Zcash that has a compatible memo field, though certain advanced features might not be fully supported
on all chains. HushList is developed and tested on the Hush and Zcash mainnets as well as
testnets (TUSH and TAZ), next to be tested is Komodo (KMD).
In addition to the above properties, \HushList provides users with censorship-resistant
storage and retrieval, since every \Hush full node will have an encrypted copy of every
\HushList memo. Furthermore, sending and receiving via one or more blockchains is a serious deviation from traditional server-client design which easily allows a Man-In-The-Middle Attack and Deep Packet Inspection (DPI). Network traffic monitoring and correlation is made much harder, because there is no longer a packet with a timestamp and "selectors" going from one unique IP to another unique IP via a very predictable network route.
\Zcash is an implementation of the \term{Decentralized Anonymous Payment}
scheme \Zerocash, with security fixes and adjustments
to terminology, functionality and performance. It bridges the existing
\emph{transparent} payment scheme used by \Bitcoin with a
\emph{shielded} payment scheme secured by zero-knowledge succinct
non-interactive arguments of knowledge (\zkSNARKs).
\Hush is a fork of the \Zcash codebase (1.0.9) which generated it's own
genesis block and uses the Zcash Sprout proving key.
\noindent This specification defines the \Hushlist communication protocol and explains
how it builds on the foundation of \Zcash and \Bitcoin.
\noindent \textbf{Keywords:}~ \StrSubstitute[0]{\keywords}{,}{, }.
\HushList is a protocol for anonymous mailing lists using the encrypted memo
field of the zcash protocol.
Technical terms for concepts that play an important role in \Hushlist are
written in \term{slanted text}. \emph{Italics} are used for emphasis and
for references between sections of the document.
The key words \MUST, \MUSTNOT, \SHOULD, and \SHOULDNOT in this
document are to be interpreted as described in \cite{RFC-2119} when they
appear in \ALLCAPS. These words may also appear in this document in
lower case as plain English words, absent their normative meanings.
This specification is structured as follows:
\item Notation | definitions of notation used throughout the document;
\item Concepts | the principal abstractions needed to understand the protocol;
\item Abstract Protocol | a high-level description of the protocol in terms
of ideal cryptographic components;
\item Concrete Protocol | how the functions and encodings of the abstract
protocol are instantiated;
\item Implications
\nsubsection{High-level Overview}
The following overview is intended to give a concise summary of the ideas behind
the protocol, for an audience already familiar with \blockchain-based
cryptocurrencies such as \Bitcoin or \Zcash.
Value in \Hush is either \transparent or \shielded. Transfers of \transparent
value work essentially as in \Bitcoin and have the same privacy properties.
\xShielded value is carried by \notes, which specify an amount and a \payingKey.
The \payingKey is part of a \paymentAddress, which is a destination to which
\notes can be sent. As in \Bitcoin, this is associated with a private key that
can be used to spend \notes sent to the address; in \Hush this is called a
A \transaction can contain \transparent inputs, outputs, and scripts, which all
work as in \Bitcoin \cite{Bitcoin-Protocol}. It also contains a sequence of zero or
more \joinSplitDescriptions. Each of these describes a \joinSplitTransfer
which takes in a \transparent value and up to two input \notes, and produces a
\transparent value and up to two output \notes.
Each \HushList \MUST have a default blockchain that it is attached to, and the default
chain \SHOULD be HUSH. The user \MUST be able to set their GLOBAL default chain (not implemented yet) as well as a default chain for each list.
Each list also has a tadd+zaddr dedicated to that list, so the user has dedicated addresses to send psuedo/anon messages, as well as default fee and amount. The default amount is
$ 0.0 $ and the default fee is currently $ 0.0001 $ but these numbers are subject to change.
\HushList supports file attachments and embedding arbitrary binary data, it is not limited to ASCII.
\nsection{Design of \HushList}
The design of \HushList is inspired by Git. This document specifies a protocol and the authors provide a reference implementation of this protocol in cross-platform Perl which can be easily installed on millions of computers around the world via CPAN and other methods.
\HushList should work across any platform that supports Perl and Hush (or your other coin).
The reference implemenation is written in a maintainable and testable way such that it
can easily evolve as the Protocol evolves.
It is hoped that in the future there will be many implementations of \HushList, running on
various blockchains and using various software stacks. The design of \HushList is compatible with Simple Payment Verification (SPV) light wallets and a future version of \HushList will learn to speak an ElectrumX backend server.
\nsection{Reference Implementation}
The reference implementation is developed as Free Software on Github at the following URL:
This code is still in active development, consider it EXPERIMENTAL and ONLY FOR DEVELOPERS at this point pending a security review.
\nsection{Account Funding}
On first run, \HushList creates a new shielded zaddress $z_F$ to fund transparent addresses for pseudonymous sending.
It may be funded by the user from any taddr or zaddr with no loss of privacy.
For each pseudonym the user sends from (may be globally used or per-list), a
taddr $t_L$ is created and a de-shielding transaction is done from $ z_F \rightarrow t_L $ which
will allow the user to send memos to the given \HushList on behalf of the $t_L$ pseudonym.
Since \HushList memos have, by default, an amount of $ 0.0 $.
For each \HushList the user wants to be part of, \HushList \MUST create a brand new zaddress $ z_L $
(it \MUSTNOT reuse an existing address) and fund that address via a shielded $z \rightarrow z$ transaction between $z_F \rightarrow z_L$.
If there are no taddr or zaddr funds in the entire wallet, \HushList \SHOULD present the user a taddr + zaddr which can be used to "top up" the current \HushList wallet from another wallet/exchange/etc.
\nsection{\HushList Contacts}
\HushList maintains a database of contacts which use the address as the unique ID and additional metadata. Since \HushList supports multiple blockchains, it \MUST have a contact database
for each chain. Each chain \MUST have it's own contact namespace, so you can have Bob on Hush and Bob and Zcash and they will not conflict.
\HushList internally associates lists to Contacts, not the address of a contact. This allows the user to update the address of a contact in one place and things work correctly the next time the address of that contact is looked up. Lists contain Contacts and Contacts have addresses.
A \HushList contact may only have ONE address, either taddr or zaddr, but not both.
To have a taddr and zaddr for a person, you can simply create two contacts, such
as tBob and zBob. In terms of the metadata that is revealed when communicating with
tBob or zBob, they are quite different, and it is healthy for metadata minimization
to consider them as two different contacts.
\nsection{List Creation}
\nsection{List Subscription}
When the private key for a list is imported into HushList, either from the
blockchain, URI or manual entry, the private key is added to the user's wallet,
along with a user entered or approved name and description for the list (if
provided in on-chain or uri encoded metadata). HushList creates a unique
taddr + zaddr for each list so that the user may choose to send each message
to the list psuedonymously or anonymously or a mixture of both.
\nsection{Sending To A List}
One may send to a \HushList from a taddr (pen name, psuedonym) or zaddr
(anonymous shielded address) which is implemented in the client via
the z\_sendmany RPC command. Up to 54 recepients may be in a single shielded
transaction. v1 of HushList only supports HushLists of this size, but v2
may implement larger HushLists by breaking large recipient lists into multiple sends.
One may send a string of text via the *send* subcommand or send the contents of a file via the *send-file* subcommand.
Each HushList has a dedicated default chain that it is attached to. When looking up
\HushList contacts for a given list, their address on that chain will be retreived.
\nsection{Receiving Messages}
At any time later, after the transaction has entered the blockchain, memos
sent to a given address can be downloaded and viewed by those parties who
have valid private keys or viewing keys.
Clients can poll the local full node periodically at a user specifiable
default interval OR, by default, the same as the average block time for the chain in question.
For the \Hush chain, this is 2.5 minutes.
Sending \HushList memos requires making a financial transaction and by default,
\HushList sends the recipient a transaction for 0.0 \HUSH (or \ZEC etc) with
the default network fee (currently 0.0001 for \ZEC+\HUSH). The fee amount \MUST
be configurable by the user. In the reference implementation of \HushList it
be changed via the HUSHLIST\_FEE environment variable.