sietch/README.md

# Sietch

## What is Sietch?

Sietch is a new set of RPC functionality and consensus rules related to
using shielded funds. Shielded transaction creation is modified above
the level of the Zcash Protocol itself, no changes to that
layer are made. This preserves compatibility with all existing Zcash protocol
ecosystem software.

Sietch defines certain wallet and transction conditions that must be
upheld for transactions to be accepted by the network as well as making all clients have
new default behavior that is more privacy-preserving.

Sietch does not modify anything about Zcash internals such as zk-SNARKs,
cryptographic primitives or changing any of the deep math involved, such
as Elliptic Curves parameters or other deep cryptographic machinery.

Any Zcash Protocol coin could adopt this "upgrade" to plain Zcash Protocol,
though it should be noted that Hush was the first pure Sapling Zcash Protocol
coin and so our implementation ignores Sprout JoinSplits, since we thankfully
have none on our v3 mainnet. Supporting Sprout would not be complex and is
left as an exercise to the interested privacy coin.

## How is Sietch implemented?

Sietch is written in C++ and mostly lives inside the hushd full node, which means
all GUI wallets can benefit from it. Some features in the future
may b  implemented at the GUI wallet level. The goal is that the user does not need
to think or do anything different, to have more privacy when
making transactions.

Since Sietch works at the hushd level, all existing code, such as GUI wallets,
mining pools and exchanges, require no code changes. They will make a shielded
transaction as they always have, via the same exact RPC methods and parameters.

From the perspective of the average GUI wallet user, It Just Works.
There are no additional mandatory steps for the user when sending
each transaction. No mandatory wallet maintenance will be needed
to keep their privacy. The same goes for exchanges, mining pools and all Hush users.
No changes at all are required by end users to enable Sietch, other than upgrading
to compatible Hush software.

There will be some options for advanced users, to
tweak the settings, but using them will not be required for increased privacy.
Hush is dedicated to all future privacy features being defaulted to ON instead
of asking our users to opt-in to privacy, which we know is a fools errand.

Users will not have to opt-in to Sietch and there will be no way to turn off
the functionality.

## What are the goals of Sietch?

 * Make linkability analysis of fully shielded (z2z) transactions drastically more expensive
 * Allow people to make zaddr xtns safely/privately without thinking about
   metadata leakage or advanced techniques
 * Prevent average users from making some blockchain operations which give out too much metadata
 * Break some assumptions which many blockchain analyst software uses
 * Require blockchain analysts to write new software
 * Increase the privacy of all funds in the shielded pool
 * Introduce non-determinism to counter ITM/Metaverse style metadata attacks

## What are the limitations/downsides of Sietch?

The goal of Sietch is increased privacy at the cost of increased blockspace usage per transaction,
increased CPU time and RAM to validate transcations and as a secondary effect, increased sync times.

Sietch potentially adds inputs and outputs to transactions to increase their privacy,
and so the maximum number of actual recipients is lower when Sietch is enabled. In practice,
transactions can still send to over 1000 recipients even with Sietch protections, so it
doesn't effect normal usage.

How much longer will average zxtn take? Research: How many zouts while staying under <10s?

Potentially more txfees if the transaction becomes so large to require more than the default fee.

No increased RAM usage, as creating JoinSplits is a serial process, but shielded transactions
will take longer in CPU seconds, since there will be more recipients by default.

## Implementation Details

These RPCs are modified directly:

```
	z_sendmany
	z_shieldcoinbase
	z_mergetoaddress
```

These RPCs interact with zaddr xtns and may report different or additional info after this change:

```
	z_viewtransaction
	z_listtransactions
	listunspent
```

### z\_sendmany Rule of Seven

Our goal is to be non-deterministic while also inserting enough zouts such that we have at least N=7 zouts.

Since the normal case is to have 2 zouts (one recipient for a z2z and one change zout back to sending address),
the normal case will be to add 5 zouts to a normal z2z xtn.

For a z=>t, we must add ....
For a t=>z we must add 6.

The reason N=7 is chosen is because of the simple fact that `6!=720` while `7!=5040`. This parameter is chosen
in response to the ITM attack, which relies on a small number of zouts and doing combinatorial algorithms on all
possibilities. These combinatorial algorithms increase in state space for each link in a long chain of transactions.
Traditionally each xtn only has a few zouts and so because `2!=2` and `3!=6`, the combinatorial explosion does not
have a chance to slow down the ITM attack.

Now, consider 5040 choices at each link in a chain, and say we are studying a chain of length L=10.
Compared to pre-Sietch, we would have `2^10=1024` possibilities versus

```
5040^10 = 10575608481180064985917685760000000000
````

possibilities. Even for short chains of xtns, the combinatorial explosion of possibility renders the ITM attack
extremely expensive. It limits it to searching for linkability metadata in only short chains with lots of
additional supporting metadata, effectively raising the bar for attack and removing many potential attackers
who do not have sufficient resources. In pre-Sietch code, the ITM attack can potentially research very long chains,
dozens, hundreds and perhaps thousands of transactions in length, with commodity hardware.
Sietch exponenentially increases the cost of doing this, in RAM, CPU and running-time. 


### Non-determinism


Combinatorial explosion can only protect us so much. It is only one layer of defense. 

When adding zutxos, to break the ITM/Metaverse metadata attacks at a deep level, we much break a deep assumption
that is baked deep into Bitcoin: determinism.
update 5 years ago			`# Sietch`
start documenting this 5 years ago
update 5 years ago			`## What is Sietch?`
updates 5 years ago
update 5 years ago			`Sietch is a new set of RPC functionality and consensus rules related to`
			`using shielded funds. Shielded transaction creation is modified above`
			`the level of the Zcash Protocol itself, no changes to that`
			`layer are made. This preserves compatibility with all existing Zcash protocol`
			`ecosystem software.`
start documenting this 5 years ago
update 5 years ago			`Sietch defines certain wallet and transction conditions that must be`
			`upheld for transactions to be accepted by the network as well as making all clients have`
			`new default behavior that is more privacy-preserving.`
start documenting this 5 years ago
update 5 years ago			`Sietch does not modify anything about Zcash internals such as zk-SNARKs,`
			`cryptographic primitives or changing any of the deep math involved, such`
			`as Elliptic Curves parameters or other deep cryptographic machinery.`
start documenting this 5 years ago
updates 5 years ago			`Any Zcash Protocol coin could adopt this "upgrade" to plain Zcash Protocol,`
			`though it should be noted that Hush was the first pure Sapling Zcash Protocol`
			`coin and so our implementation ignores Sprout JoinSplits, since we thankfully`
			`have none on our v3 mainnet. Supporting Sprout would not be complex and is`
			`left as an exercise to the interested privacy coin.`

update 5 years ago			`## How is Sietch implemented?`
start documenting this 5 years ago
update 5 years ago			`Sietch is written in C++ and mostly lives inside the hushd full node, which means`
			`all GUI wallets can benefit from it. Some features in the future`
			`may b implemented at the GUI wallet level. The goal is that the user does not need`
start documenting this 5 years ago			`to think or do anything different, to have more privacy when`
			`making transactions.`

update 5 years ago			`Since Sietch works at the hushd level, all existing code, such as GUI wallets,`
			`mining pools and exchanges, require no code changes. They will make a shielded`
			`transaction as they always have, via the same exact RPC methods and parameters.`

start documenting this 5 years ago			`From the perspective of the average GUI wallet user, It Just Works.`
			`There are no additional mandatory steps for the user when sending`
Tweaks 5 years ago			`each transaction. No mandatory wallet maintenance will be needed`
update 5 years ago			`to keep their privacy. The same goes for exchanges, mining pools and all Hush users.`
			`No changes at all are required by end users to enable Sietch, other than upgrading`
			`to compatible Hush software.`
Tweaks 5 years ago
			`There will be some options for advanced users, to`
update 5 years ago			`tweak the settings, but using them will not be required for increased privacy.`
			`Hush is dedicated to all future privacy features being defaulted to ON instead`
			`of asking our users to opt-in to privacy, which we know is a fools errand.`
start documenting this 5 years ago
update 5 years ago			`Users will not have to opt-in to Sietch and there will be no way to turn off`
			`the functionality.`
start documenting this 5 years ago
update 5 years ago			`## What are the goals of Sietch?`

			`* Make linkability analysis of fully shielded (z2z) transactions drastically more expensive`
			`* Allow people to make zaddr xtns safely/privately without thinking about`
			`metadata leakage or advanced techniques`
update 5 years ago			`* Prevent average users from making some blockchain operations which give out too much metadata`
start documenting this 5 years ago			`* Break some assumptions which many blockchain analyst software uses`
			`* Require blockchain analysts to write new software`
			`* Increase the privacy of all funds in the shielded pool`
updates 5 years ago			`* Introduce non-determinism to counter ITM/Metaverse style metadata attacks`
update 5 years ago
update 5 years ago			`## What are the limitations/downsides of Sietch?`
update 5 years ago
update 5 years ago			`The goal of Sietch is increased privacy at the cost of increased blockspace usage per transaction,`
update 5 years ago			`increased CPU time and RAM to validate transcations and as a secondary effect, increased sync times.`

update 5 years ago			`Sietch potentially adds inputs and outputs to transactions to increase their privacy,`
			`and so the maximum number of actual recipients is lower when Sietch is enabled. In practice,`
			`transactions can still send to over 1000 recipients even with Sietch protections, so it`
			`doesn't effect normal usage.`
update 5 years ago
update 5 years ago			`How much longer will average zxtn take? Research: How many zouts while staying under <10s?`
update 5 years ago
Tweaks 5 years ago			`Potentially more txfees if the transaction becomes so large to require more than the default fee.`

updates 5 years ago			`No increased RAM usage, as creating JoinSplits is a serial process, but shielded transactions`
			`will take longer in CPU seconds, since there will be more recipients by default.`
update 5 years ago
			`## Implementation Details`

update 5 years ago			`These RPCs are modified directly:`
update 5 years ago
			```
			`z_sendmany`
			`z_shieldcoinbase`
			`z_mergetoaddress`
			```

update 5 years ago			`These RPCs interact with zaddr xtns and may report different or additional info after this change:`

			```
			`z_viewtransaction`
			`z_listtransactions`
			`listunspent`
			```

more stuff 5 years ago			`### z\_sendmany Rule of Seven`

			`Our goal is to be non-deterministic while also inserting enough zouts such that we have at least N=7 zouts.`

			`Since the normal case is to have 2 zouts (one recipient for a z2z and one change zout back to sending address),`
			`the normal case will be to add 5 zouts to a normal z2z xtn.`

			`For a z=>t, we must add ....`
			`For a t=>z we must add 6.`

			The reason N=7 is chosen is because of the simple fact that `6!=720` while `7!=5040`. This parameter is chosen
			`in response to the ITM attack, which relies on a small number of zouts and doing combinatorial algorithms on all`
			`possibilities. These combinatorial algorithms increase in state space for each link in a long chain of transactions.`
			Traditionally each xtn only has a few zouts and so because `2!=2` and `3!=6`, the combinatorial explosion does not
			`have a chance to slow down the ITM attack.`

			`Now, consider 5040 choices at each link in a chain, and say we are studying a chain of length L=10.`
			Compared to pre-Sietch, we would have `2^10=1024` possibilities versus

			```
			`5040^10 = 10575608481180064985917685760000000000`
			````

			`possibilities. Even for short chains of xtns, the combinatorial explosion of possibility renders the ITM attack`
			`extremely expensive. It limits it to searching for linkability metadata in only short chains with lots of`
			`additional supporting metadata, effectively raising the bar for attack and removing many potential attackers`
			`who do not have sufficient resources. In pre-Sietch code, the ITM attack can potentially research very long chains,`
			`dozens, hundreds and perhaps thousands of transactions in length, with commodity hardware.`
			`Sietch exponenentially increases the cost of doing this, in RAM, CPU and running-time.`


			`### Non-determinism`


			`Combinatorial explosion can only protect us so much. It is only one layer of defense.`

			`When adding zutxos, to break the ITM/Metaverse metadata attacks at a deep level, we much break a deep assumption`
			`that is baked deep into Bitcoin: determinism.`
update 5 years ago